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Abstract We prove the security of theoretical quantum key distribution against 
the most general attacks which can be performed on the channel, by an eavesdrop- 
per who has unlimited computation abilities, and the full power allowed by the 
rules of classical and quantum physics. A key created that way can then be used to 
transmit secure messages such that their security is also unaffected in the future. 
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1 Introduction 

Quantum key distribution [3,2] uses the power of quantum mechanics to suggest 
the distribution of a key that is secure against an adversary with unlimited compu- 
tation power. Such a task is beyond the ability of classical information processing; 
thus, it is the main success of the original idea of Wiesner [34] who suggested 
using quantum mechanics to perform cryptographic tasks. The extra power gained 
by the use of quantum bits (quantum two-level systems, "qubits") is due to the fact 
that the state of such a system cannot be cloned. [Of course, one could use higher 
level quantum systems as well.] On the other hand, the security of conventional 
key distribution is based on the (unproven) existence of various one-way func- 
tions, and mainly on the difficulty of factoring large numbers, a problem which 
is assumed to be difficult for a classical computer, and is proven to be easy for a 
hypothetical quantum computer [32]. 

The quantum key distribution (QKD) scheme considered in our work is the 
protocol of Bennett and Brassard [3], known as the BB84 protocol. The legitimate 
users of this (actually, of any) QKD protocol are conventionally called Alice (the 
sender) and Bob (the receiver). Their aim is to create and share a secret key. 

There are several classes of attacks (see for instance [8, 7]) on quantum key 
distribution that can be performed by an eavesdropper having full control of the 
channel. The simplest ones are known as individual-particle attacks [17] in which 
the transmitted qubits are attacked separately, so that the eavesdropper can be left 
with some optimal classical information about each transmitted quantum bit. The 
eavesdropper can use this classical information in order to learn some information 
about the final secret key. In contrast, in the most general attack called the "joint 
attack", all transmitted quantum particles are attacked together, and the eavesdrop- 
per's goal is to learn as much information as possible about the final key, rather 
than about each transmitted qubit. A special class of the joint attack, the "collec- 
tive attack" [8] was shown to provide more information to the eavesdropper than 
an individual-particle attack [5]. We further explain the differences between the 
individual-particle attacks, the collective attacks, and the most general attacks (the 
joint attacks) in Subsection 2.2, when we describe the two steps of Eve's attack. 
Various proofs of security were previously obtained against collective attacks [8,9, 
7, 29] (which is a most important subclass of the joint attack), and we continue this 
line of research here to prove the ultimate security of QKD, against any attack (un- 
der the conventional assumptions of theoretical QKD, as explained below). Note 
that the eavesdropper is assumed to have unlimited technology (e.g., unlimited 
computing power, a quantum memory, a quantum computer), while the legitimate 
users use practical tools (or more precisely, simplifications of practical tools). Such 
assumptions are required since the aim of the invention of quantum key distribu- 
tion is to obtain a practical key distribution scheme, which is proven secure against 
any attack, even one which is far from being practical with current technology. 

To prove security against such a super-strong eavesdropper, conventionally 
called Eve, we develop some important technical tools and we reach some novel 
results: We obtain a new information versus disturbance result, where the power of 
quantum information theory is manifested in an intuitive and clear way. We show 
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explicitly how the randomness of the choice of bases, and the randomness of the 
choice of test-bits provides the desired security of QKD. We adopt and generalize 
sophisticated tools invented in [7]: "Purifications" which simplify Eve's states, a 
bound on accessible information (using Trace-Norm-Difference of density matri- 
ces) which avoids any complicated optimization of Eve's possible measurements, 
and a connection between Eve's accessible information and the error-rate she in- 
duces. We add some more simplifications (which were not required in the analysis 
of collective attacks in [7]): a reduction to a scheme in which all qubits are used 
by Alice and Bob, and a symmetrization of Eve's attack. 

This paper complements the result of Bennett, Mor, and Smolin [5]: That pa- 
per shows that individual particle attacks are strictly weaker (less informative to 
the eavesdropper) than j oint attacks ^ , and the current paper shows that security can 
still be obtained even when the eavesdropper applies the strongest joint attacks. 
The current paper also complements the work of Bennett, Brassard, Crepeau, and 
Maurer [4]: That paper shows that privacy amplification provides security when 
the eavesdropper is restricted to perform only individual particle attacks, and the 
current paper shows that privacy amplification provides security when the eaves- 
dropper is not restricted, and can apply any joint attack on the particles. 

Two other security proofs [26,27], and [24,23] were reported just prior to 
ours [6]. The security result of Lo and Chau [24] [note that some of the details 
were completed or improved in [23]] uses novel techniques and is very important, 
but it is somewhat limited: The QKD protocol which is analyzed in [24] requires 
that the legitimate users have quantum memories and fault tolerant quantum com- 
puters, technologies which are not yet available to the legitimate users, and are not 
expected within the next ten or twenty years, while the QKD protocol which is 
analyzed here, the BB84 protocol, is now demonstrated with some partial success 
in many labs (see many references in Gisin's reviews [36,20]). Some of the ideas 
used in [24] appeared earlier, [e.g., the quantum privacy amplification [16], and the 
quantum repeaters [28,29], and the use of fault tolerance quantum error correction 
for performing quantum privacy amplification [28,29] but Lo and Chau succeeded 
in using them to yield a novel proof of security from classical random sampling 
techniques. The security result of Mayers [26,27] is similar to ours in the sense 
that it proves the security of a much more realistic protocol against an unrestricted 
eavesdropper, and provides explicit bounds on the eavesdropper's information. It 
continues earlier works such as a solution to the error- free case [35]. 

Our proof is different from Mayers, was derived independently, and may shed 
more light on the subject. We analyze the density matrices which are available to 
the eavesdropper and we prove that it is extremely rare that these density matrices 
carry non- negligible information about the secret key, and at the same time, AUce 
and Bob agree to form a secret key. In other words, it is extremely rare that Alice 
and Bob agree to form a secret key about which these density matrices reveal non- 
neghgible information. 



Many of the leading researchers in experimental quantum cryptography are unfamiliar 
with this work of Bennett Mor and Smolin, and still wrongly state that individual particle 
attacks could be as strong as collective/joint attacks. 
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Two additional proofs were announced more recently [33,1]. Shor and 
Preskill's proof [33] proposes a way to extend Lo and Chau's proof so that it be- 
comes applicable to a more practical protocol, hence bypasses the main limitation 
of Lo and Chau's proof. A written draft of the proof of Ben-Or is expected in the 
near future [ 1 ] . 

We base our work on standard assumptions of QKD: 1) We assume the cor- 
rectness of quantum theory and its relativistic generalizations, as these were ver- 
ified with incredible accuracy in many experiments. 2) Alice and Bob share an 
unjammable classical channel. This assumption is usually replaced by the demand 
that the classical channel is "unforgeable"; an unforgeable channel can be modified 
by an eavesdropper but Alice and Bob will notice that, with probability exponen- 
tially close to 1 . If Alice and Bob share a much shorter secret key to be used for 
authenticating a standard classical channel, they can indeed obtain an unforgeable 
channel (hence the protocol is then a quantum key expansion protocol, although 
everyone still call it QKD). 3) Eve cannot attack Alice's and Bob's laboratories. 
She can only attack the quantum channel and listen to all transmissions on the clas- 
sical channel. 4) Alice sends quantum bits, i.e. two level systems. This assumption 
cannot be fully met in any experimental scenario, but can only be approximated. 

We prove, under those assumptions, the security of the BB84 protocol [3], 
against any attack allowed by the rules of quantum physics. We prove security for 
instances in which the error rate in the transmission from Alice to Bob is up to 
7.56%. 

Although experimental QKD is very common (see for instance Gisin's re- 
views [36, 20]), at the present time no experimental system whatsoever is proven 
unconditionally secure. Some security analyses which take into account correc- 
tions due to having more than two levels in the quantum systems have been pro- 
vided ([12, 1 1]), but research in this area is still in its early stages. In fact, many 
experimental systems are totally insecure due to the photon-number- splitting at- 
tack [11]. 

Quantum cryptography [34,3] is described in several pubhcations, some of 
which also introduce the notations in a more expository way. Readers unfamiliar 
with the basics of quantum information processing are referred to any recently 
pubhshed textbook on the subject, e.g., [30,21]. Here we focus on QKD [3,2] and 
specifically on the BB84 protocol [3]. 

In BB84 we let 

|0)o ^ |0); 
|i)o^|i); 

|0)i^^(|0) + |l)); 
|l)i^-i5(|0)-|l)), 

define four states, such that the first two are orthogonal in one basis (known as 
the computation basis, or the "z" basis), and the other two are orthogonal in an- 
other basis (the "x" basis). [Using these "spin" notations the bases are |)o = \)z, 
and |)i = |)a;.] Note that the two bases are conjugate, namely, applying a mea- 
surement in one basis on a state belonging to the other basis gives a fully random 
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outcome. In the BB84 protocol Alice and Bob use these four possible quantum 
states. Therefore, we shall refer to these states as the BB84 states. 

The quantum part of the communication in the BB84 protocol contains one 
step — Alice sends Bob a string of qubits, each in one of the four BB84 states 
(chosen randomly by Alice). To simplify the analysis, we assume aU qubits are 
sent to Eve, and then Eve sends all qubits to Bob^. 

The rest of the protocol involves sending classical communication via the un- 
jammable channel. First Ahce sends Bob the basis used for each photon. By com- 
paring bases after Alice sends such a state for each qubit and Bob receives the 
qubit, a common key can be created in instances when Alice and Bob used the 
same basis. Comparing the bases must be performed after Bob receives the qubits, 
so that the eavesdropper cannot benefit from having this knowledge while still 
holding the qubits. The common key obtained from the above steps is known as 
the "sifted key". A final key is then obtained from the sifted key, after perform- 
ing several more steps: testing the error rate on some test bits, chosen at random; 
throwing away these test bits, while Alice and Bob can now have some good es- 
timation of the error-rate on the remaining shared bits (called information bits); 
correcting errors on these information bits, and amplifying the privacy, by creating 
a shorter final key. 

Alternatively, if Bob has a memory where he can keep his qubits unchanged 
after receiving them (we call such a memory "a quantum memory"), a simpler 
protocol for obtaining a sifted key is obtained: Bob waits with the received qubits 
till he learns the basis, and then measures in the right bases. The sifted key is twice 
as big in this case or the initial string of qubits can be shortened to half, if the final 
length of the sifted key is to remain the same. 

We prove here the security of that simplified protocol in which only the bits 
relevant for the sifted key are discussed; we call it the "used-bits-BB84". We for- 
mally describe the used-bits protocol (in detail) in the next section. The proof of 
the security of the original BB84 protocol (in which Bob does not have a quantum 
memory) easily follows due to a simple reduction, as we show in Appendix A. 

In the most general attack on the channel. Eve attacks the qubits in two steps. 
First, she lets all qubits pass through a device that weakly probes their state via 
a quantum unitary transformation. Then, after receiving all the classical data, she 
measures the probe. Eve's goal is to learn as much information as possible about 
the final key without causing Alice and Bob to abort the protocol due to a failure 
of the test. We consider here any attack chosen by Eve, described by these two 
steps, and we prove security against any such attack. We formally explain Eve's 
most general attack in the next section. 

The issue of the security criteria is non-trivial since one obvious security cri- 
terion, namely that "Eve's information given that the test passed, is negligible", 
does not work; this criterion cannot be proven, as a counter example exists^ An- 

^ In case Eve can only hold each qubit for a short time and must release it before she gets 
the next, she is less powerful, so our proof of security covers that case as well. 

^ Namely, there is an attack such that Eve's information is large even when the test is 
passed (although in such cases the test is passed very rarely); Such attacks are studied in 
Section 2.3. 
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Other natural security criterion saying that "either Eve 's average information is 
negligible or the probability that the test is passed is negligible ", also does not 
work (for a similar reason). The criterion that we shall prove in this work says 
that "the event where the test is passed AND Eve's information is not negligible, is 
extremely rare". This security criterion is formally presented in the next section. 

We will moreover show that the final key is reliable: the keys distilled by Alice 
and Bob (after error correction and privacy amplification) are identical except for 
some exponentially small probability. 

Section 2 provides a formal description of the used-bits-BB84 protocol, the 
most general attacks, and the security and reliability criteria. The rest of the paper 
contains three main steps leading to the desired proof of security: In Section 3 we 
reduce the problem of proving security to a simpler problem of optunizing over 
all attacks symmetric to the bit values and 1 . In Section 4 we analyze the infor- 
mation bits in the bases actually used by Alice and Bob, and we prove our main 
information versus disturbance theorem for symmetric attacks; the eavesdropper 
information about the final key is bounded by the probability of errors induced in 
the other bases (namely, errors induced if the other bases were used by Alice and 
Bob). We then obtain in Section 5 an exponentially small bound on Eve's infor- 
mation, proving that the security criterion (2.1) described in Section 2 is always 
satisfied in QKD, provided a good code for error correction and privacy amplifi- 
cation is used. Finally, we analyze a specific code, the random linear code, and we 
prove security for instances in which the error rate in the transmission from Alice 
to Bob is up to 7.56%. We also analyze the conditions under which this code can 
provide data relevant to experimentalists who choose some parameters (such as the 
number of photons used for the communication) and would like to obtain bounds 
on Eve's information, on the probabiUty of errors in the final key, and on the result- 
ing bit-rate of the protocol. Such explicit bounds are presented here for any error 
rate equal to or smaller than 5.50%. We summarize these results in Table 5.1. 

We conclude the paper by sunmiarizing the tools used here, and by suggesting 
that some of them could be relevant for other proofs as well. Various technical 
details and proofs of several lemmas are provided in the appendices. 
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2 Notations, the Protocol, Eve's Attack, the Security Criteria, and the Main 
Results 

2.1 The used-bits BB84 protocol 

Let us describe the used-bits protocol in detail, splitting it into creating the sifted 
key and creating the final key from the sifted key. This simpUfied protocol assumes 
that Bob has a quantum memory. 

I. Creating the sifted key: 

1 . Alice and Bob choose a large integer 1. The protocol uses 2n bits. 

2. Ahce randomly selects two 2n-bit strings, h and i and sends Bob, via a quantum 
coimnunication channel, the string of 2n qubits 

\i)b = \il)bi\i2)b2 ■■■\^2n)b2n 

3. Bob tells AUce when he receives the qubits. [If he received less than 2n qubits 
he adds any missing qubit, but in an arbitrary state. If he received more than 
2n qubits he ignores any extra qubit. E.g., if qubit number 17 did not arrive 
Bob will add it (by choosing its value and basis at random), and if two qubits 
arrived instead of one when Bob expects qubit number 17, then Bob will ignore 
one of them. Obviously, such cases will contribute to the error rate, j^test-] 

4. Ahce pubhshes the bases she used, b; this step should be performed only after 
Bob received all the qubits. 

Bob measures the qubits in Ahce's bases to obtain a 2n-bit string j. 
We shall refer to the resulting 2n-bit string as the sifted key, and it would be 
the same for Ahce and Bob, i.e. j = i, if natural errors and eavesdropping did 
not exist. 

II. Creating the final key from the sifted key: 

1 . Alice chooses at random a 2n-bit string s which has exactly n zeroes and n 
ones. There are (^^) such strings to choose from. 

2. From the 2n bits, Alice selects a subset of n bits, determined by the zeros in s, 
to be the test bits. Alice publishes the string s, along with the values of the test 
bits (given by an n-bit string it). The values of Bob's bits on the test bits are 
given by jT- 

The other n bits are the information bits (given by an n-bit string ij). They 
are used for deriving a final key via error correction codes (ECC) and privacy 
amplification (PA) techniques. 

Later on, Ahce will send the ECC and PA information to Bob, hence Bob needs 
to correct his errors using the ECC data, and to obtain a final secret key equal 
to Alice's using the PA data. 

3. Bob verifies that the error rate ptest = \iT (B jx]/ ninths test bits is lower than 
some pre-agreed allowed error-rate PaUowed> and aborts the protocol if the error 
rate is larger. The maximal possible allowed error-rate is found in Section 5.4. 

4. Bob also publishes the values of his test bits (Jt)- This is not crucial for the 
protocol, but it is done to simplify the proof. 
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5. Alice selects an (n, k, d) linear error correcting code C with 2*^ code words of 
n bits and a minimal Hamming distance d between any two words, along with 
the ECC parities on the information bits. The strategy is that AUce announces 
an r X n parity check matrix Pc of C by announcing its r = n — fc rows of 
n bits vi, . . . ,Vr- This means that the code contains any i such that i ■ Vq = 
for any g G {1 . . . r}. Formally speaking, C = {i & {0, 1}" | iP^^ = 0}, with 
Pq the transpose of Pc. Alice then also announces the r-bit string ^ = iiPj 
whose bits are the parities of her (random) information string ij with respect to 
the parity check matrix (so the g-th bit of ^ is = • Vq for all 1 < g < r). 
Bob doesn't announce anything. 

We now explain how the code C is chosen. The condition on C is that it corrects 
t > (Paiiowed + fie\)n crrors, for some positive (pre-determined) reliabihty pa- 
rameter Erei ■ If an ECC has Hamming weight d> 2t + 1 it will always correct t 
errors, and thus the condition d > 2(paiiowed + erei)'^ + 1 is sufficient. Meaning 
that, any code satisfying this criterion is good for Alice and Bob. 
For Random Linear Codes a better bound exists, and d > (fallowed + £iei)n + 1 
is also sufficient as noted in [27]; It is not promised that such a code always 
corrects t errors, but it is promised that it corrects t errors with probability as 
close to 1 as we want (provided we choose a sufficiently large n). 

6. Bob performs the correction on his information bits ji as follows: he finds the 
n-bit string such that j^°^Pj = ^ and such that the Hamming distance 
between and jj is minimal. As long as there are at most t errors in jj 
(i.e. \ ji (Bill <t) the obtained string is unique, and Bob finds the right string, 
namely = ij. Note that we are not concerned here with the efficiency of 
finding but a practical protocol ought to be efficient as well. 

7. Alice selects a privacy ampUfication function (VA) and publishes it. The PA 
strategy is to publish m strings, of length n each. These privacy-amplification 
parity-check strings Vr+i, ■ ■ ■ , Vr+m shall be used as the rows of an m x n 
parity matrix P-p^ so that the final secret key is a = iiP^j^, with at = ii ■ 
Vr+t+i (for < t < m — 1)). This strategy is similar to error correction except 
that the m-bit string (namely, the final key) iiP-^ji^ is kept secret. 

The PA strings must be chosen such that the minimal distance v between any 
PA parity string v and any siring in the span of their union with the parity- 
check-strings of the ECC (the dual to the code) is at least v > 2(paiiowed + 
Csec) Ti. [This is important for preventing Eve from learning much from the 
error-correcting procedure, and furthermore from learning something about the 
correlations between the bits of the final key.] Note that, by definition, the min- 
imal distance of the space spanned by the ECC and PA strings vi,. . . , Vr+m, 
which we shall denote c?-"-, is less than the distance v; hence if we demand 
d-^ > 2(paiiowed + (sec) n, the above desired criterion, v > 2(paiiowed + Csec) n, 
is automatically satisfied (due lov > d-^). 

8. Bob calculates a = iiP^y^ to finally get the key. 
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2.2 Eavesdropping 

In the most general attack on the channel, Eve attacks the qubits in two steps. 
First she lets all qubits pass through a device that weakly probes their state via 
a quantum unitary transformation. Then, after receiving all the classical data, she 
measures the probe. Note that Eve can gain nothing by measuring the probe ear- 
lier, or by measuring the qubits while passing through her. Any such measurement 
can also be performed by attaching a probe, applying a unitary transformation, and 
measuring the probe (or part of it) at a later stage. Since there is no gain in perform- 
ing a measurement before learning all the classical information that is transmitted 
throughout the protocol, the optimal attack (WLoG) is to perform all measure- 
ments after receiving all classical information. Furthermore, Eve gains nothing by 
sending Bob a state that is not a 2n qubit state, so without loss of generality, we 
assume she sends exactly 2n photons: If Eve sends less than 2n qubits. Bob will 
add the missing qubits in an arbitrary state (see item 1-3 in the protocol), so Eve 
could have done it herself. If Eve sends more than 2n qubits. Bob ignores the extra 
qubits, and again Eve could have done it herself. [An important remark though: 
the allowed error rate in these cases must still be limited as described in this work. 
However, in real applications the natural losses of qubits become very high due to 
transmission across long distances. If one does not wish to limit the distance too 
much, and wishes to have security even if losses are much higher than Paiiowed. then 
this is still possible. See a brief explanation in Appendix A.] 

It is important to enable an analysis of Eve's most general attack. Thus we 
formally split Eve's attack into her transformation U and her measurement £. 

Eve's transformation, U: Eve attacks the qubits while they are in the channel 
between Alice and Bob. Eve can perform any attack allowed by the laws of 
physics, the most general one being any unitary transformation U on Alice's 
qubits and Eve's probe (an ancilla initially in a state |0)e). 
We are generous to Eve, allowing her to attack all the qubits together (in prac- 
tice, she usually needs to release the preceding qubit towards Bob before she 
has access to the next one). 

Without loss of generality we assume that all the noise on the qubits is caused 
by Eve's transformation. 

A remark: In individual-particle attacks and in collective attacks Eve's transfor- 
mation is restricted so that each transmitted qubit is attacked using a separate, 
unentangled probe, so that the analysis of U is much simplified. In collective 
attacks the next step is as general as it is for the joint attacks (so that Eve can 
measure all probes together). In contrast, in individual-particle attacks Eve is 
only allowed to measure each probe separately from the others. 
Eve's measurement, £: Eve keeps the probe in a quantum memory, meaning 
that she keeps its state unchanged. After Eve receives all the classical infor- 
mation from Alice and Bob, including the bases of all bits b, the choice of test 
bits s, the test bits values, ir and jx, the ECC, the ECC parities ^, and the 
PA, she tries to guess the final key using her best strategy of measurement. 
The measurement can be done by adding a second ancilla, and performing a 
standard projection measurement on Eve's probe and the ancilla. This measure- 



10 



E. Biham, M. Boyer, P. O. Boykin, T. Mor and V. Roychowdhury 



ment is alternatively described (without the need for this second ancilla) by the 
so called "generalized measurement" or "POVM", £, which is a set of positive 
operators Eg such that Yle^e = 1- When the measurement is applied onto a 
density matrix p the outcome e is obtained with probability p{e) = Tr{p£e)- 
We fix the set of possible outcomes e, so that it is the same for all the POVMs 
used by Eve after she learns ir, Jt, s and ^. 

For more information about POVMs and their connection to standard projec- 
tion measurements in an enlarged Hilbert space, see [3 1, 30]. 

Eve's goal is to learn as much information as possible about the final key without 
causing Alice and Bob to abort the protocol due to a failure of the test. The task 
of finding Eve's optimal operation in these two steps is very difficult. Luckily, to 
prove security that task need not be solved, and it is enough to find bounds on 
Eve's optimal information (via any operation she could have done): In order to 
analyze her optimal transformation we find bounds for any transformation U she 
could perform, and in order to analyze her optimal measurement we find bounds 
for any measurement £ she could perform. 



2.3 What does security mean? 

We consider here any attack chosen by Eve, described by U and £. Let us explain 
what we mean by saying that security shall be proven. 

As we already mentioned in the introduction, the issue of the security crite- 
ria is non-trivial. One obvious security criterion, namely that "Eve 's information 
given that the test passed, is negligible ", can be proven wrong (for QKD), and 
furthermore, another natural security criterion saying that "either Eve 's average 
information is negligible or the probability that the test is passed is negligible", 
also does not work. 

The criterion that we shall prove here says that "the event where the test is 
passed AND Eve 's information is not negligible, is extremely rare ". 

To be more precise we formally present now these security criteria. We first 
provide some relevant information-theoretic notations (for some more basic defi- 
nitions see Appendix B.l). Let A be the random variable whose values are Alice's 
final key, a = iiR^y^, and E be a random variable whose values e are the outputs 
of Eve's measurement £. Note that e are outcomes of a measurement that itself is 
a function of all the classical data provided to Eve, the ECC and PA (that can be 
given to Eve in advance), and also ir, JTi s, and ^. However, we usually consider 
any attack, therefore for any fixed parameters of the attack, {U, £}, the resulting e 
are regular classical values of a regular classical random variable £, so all standard 
rules of classical information theory (as described in Appendix B. 1) apply to them. 
Note that our proof never needs to assume that the ECC data Pq and the PA data 
Pp^ are random, or even that these are initially unknown to Eve. Therefore these 
can be chosen in advance and be considered as fixed parameters of the protocol. 



* This fixing is allowed due to Davies' theorem [15]. 
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Let T be the random variable presenting whether the test passed or failed (T is 
"pass" if |zt © jr \ < npa and is "fail" otherwise, with pa denoting the allowed er- 
ror rate Pa = Paiiowed)- Let ct = It ® jr and c/ = i/ ® j/ be the error syndromes 
on the test and the information bits. Let /(A; E) be the mutual information be- 
tween Alice's final key and the results of Eve's measurement. Since some classical 
data is given to Eve, let Isve = -'^(A; E | itiJt, b, s, ^) be the information Eve 
has about the key given a particular PA, ECC (that remain fixed parameters), ir, 
jr, b, s and ^ (the parity string on the information bits, ^ = iiPj)- This informa- 
tion might be large for some specific values (for instance, if b is fixed, and Eve has 
accidently guessed all the bases correctly), but on average it ought to be negligible 
in order for the key to be secret. The average information obtained by Eve if a key 
was always created by Alice is (lEve) = -f(A; E | It, Jt, B, S, H), where It, 
Jt, B, S and H are the random variables associated to the random outputs ix, jr, 
b, s and ^ = iiPj . This information cannot be proven to be small, because the 
fact that the test must be passed is not taken into consideration. 

We can now formally present our security criteria. In order to get a better intu- 
ition of what security really means, we also formally present in Appendix B.2 the 
two security criteria mentioned above, criteria that are not met by the QKD pro- 
tocol. We even prove via counter examples, the SWAP attack and the half-SWAP 
attack, that these security criteria indeed don't work^. The SWAP and the half- 
SWAP examples motivate a more precise definition of security (first used in [27J) 
that does work properly, and shall be used in the current work. 

2.3.1 The security criterion: We show in this paper that the event where the test 
is passed and Eve obtains meaningful information about the key is extremely un- 
likely. This is proven here for any attack {U, £}. Formally, our security criterion 

is: 

P [(T = pass) A {lEve > Amo e-^^'"^)] < Auek e-'''""" , (2.1) 

with ^info, Anfo, ^luck and /Sluck positive constants. Note that this is a criterion for 
exponential security, and a less strict criterion can be defined if one is willing to 
accept polynomial security (say, with a huge polynomial such as n^°°°). However, 
exponential criteria are preferable when possible, and we succeed to prove here an 
exponential security criterion. 

2.3.2 An alternative security criterion: Let us define 1^^^ to be equal 
to lEve when T = pass and to be equal to otherwise. Then, the 
event [(T = pass) A (Ievc > Anfo 6^''^"'"")] is identical to the event [I^^g > 
^infoC"'''"^""]. The security criterion can now be written more concisely as 

P[l'Eve > ^infoe-''-'""] < Aiueke"'^'-" . 

^ If Eve is applying the SWAP attack, her information given that the test is passed will 
not be small, and the first criterion is not satisfied; If Eve is applying the Half-SWAP attack, 
she gets a lot of information (half the bits on average), and yet passes the test with high 
probability, so the second criterion is not satisfied. In contrast, the criteria we use in this 
paper are satisfied by any attack whatsoever. 
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The expectancy of I'evb which is 

(^Eve) = iEvei'i'T,jT,b,S,^)p{iT,jT,b,S,^), 



E 



can now be used to define an important security condition: 

(4,,) < Ae-f"^ , (2.2) 

with A and /3 positive constants. As the following lemma shows, the security cri- 
terion, Eq. (2.1) is implied by this security condition. 

Lemma 2.1 Ifil'sye) < Ae-'^^'for A>0 then 

for all Amo, A\ack, Pinto, Auck such that AinfoAuck = A, /Jmo + Auck = P and 
Auck > 0. 

[Note that the security criterion 2.1 is therefore imphed since the event 
[(T = pass) A {lEve > Amo e"^'°f°")] is identical to the event [V^^^ > 
Anfoe-'''"*""].] 

Proof I'^ye never negative. Therefore, by Markov's inequality [lOJ (that is 
P[X > a] < (X) I a for any non-negative random variable X), 

IV \ Ap~^'^ 

We gain two things by using this alternative security criteria. The first is some 
additional intuition about the security parameter, and the second is a final form of 
the criterion which is the one we actually prove here in the paper. 

By definition, {I'e^J = J2ij,,jj,,b,s,i'^'EveiiT,jT,b,s,^)p{iT,jT,b,s,^) is 
equal to Ei^ j^:|i^ejT|<np, Eb.s.j ^(A; E | iT,jT,b,s,^)p{iT,jT,b,s,^), 
thus, it is easy to calculate that 

{I'e,,) = /(A; E I It, Jt, B, S, H, T = pass)P[T = pass] , (2.3) 

(see Appendix B.3.1 for the details of this calculation). This expression provides 
some intuition regarding the security criterion, Eq.(2.2): It says that if either the 
probability to pass the test is negligible or Eve's information given that the test is 
passed is negligible, then security is promised. 

Using ct (the error syndrome on the test bits) and using the random variable 
Ci = li ® Jt (the random variable corresponding to the error syndrome), we 
can also write 



E 

Ct I T— pass 



(Ike) = E P[Ct = ct] /(A; E|It, Ct = ct, B, S, H) (2.4) 



(see Appendix B.3.1 for the details of this calculation as well). This is true since 
the random variable C is equivalent to the random variable J when the random 
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variable I is given, and since summing over all the events {ct|T = pass} provides 
exactly the event {T = pass}. 

This last expression, Eq.(2.4), tells us that the security criterion (2.2) is satisfied 

if: 

^ P[Ct = ct] /(A; E|It, Ct = ct, B, S, H) < ^e"^" . (2.5) 

ct I T=pass 

Thus, this last equation is yet another form of the security criteria. Indeed, in Lem- 
mas 5.3 and 5.4 in Section 5 we obtain an exponentially small bound on (I^^e)- 
This inequality then imphes that the security criterion (2.1) is satisfied, for all 
attacks without any restriction whatsoever, therefore proving the security of the 
used-bits-BB84 and the original BB84 protocols. 

To improve the intuition about the different security criteria (those that work 
for QKD and also those that do not work) we prove in Appendix B.3.2 that the 
Half-SWAP attack can easily be dealt with, once we use our security criteria; 
meaning that the security criteria are still satisfied. 

2.4 The main result: a security proof 

In this paper we provide a proof of the security of the used-bits BB84 protocol 
against any attack on the channel. 
Formally we prove the following: 

If the allowed error-rate pa, some positive number Cscc, and the ECCh-PA codes 
are chosen such that Pa + Csec < v/2n with v = min^,"t!J?_|_^ dH{vr' ,V^J''^) 
where djj is the Hamming distance, Vr' a parity-check string, and V^f'^ the 
2r+m-i gp^Qg which is the span of the ECC and PA excluding Vr' (namely, 
the span ofvi,..., 1;^'-!, Ur'+ii • • • > ^^r+m)> then for any A^j^o > 0, Auck > 
such that AinfoAuck = 2m and any l3„£o and Auck such that Anfo + Auck = 
/4, 

'-sec/ ' 

P [(T = pass) A {lEve > Amo e-'^'*")] < A,^^ e"'''-''" (2.6) 
where T = pass iff IctI < npa and Ievb = -'^(A; E | ir, jr, b, s, ^). 

2.5 Reliability 

It will moreover be shown here that if the ECC corrects Pa + erei errors then the 
final m-bit key is reUable: The keys distilled by Alice and Bob are identical except 
for some exponentially small probability Arei e with Arei = 1 and /Jrei = 

We shall eventually present here an example of a family of ECC-hPA codes 
such that the final key is secure and reliable, as long as the error rate pa is less than 
7.56%, and such that the bit-rate approaches one when the error-rate approaches 
zero. Furthermore, we present a different range of these codes such that for large 
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enough^ but reasonable n the final key is secure and reliable, as long as the allowed 
error rate Pa is less than 5.50%; in Table 5.1 we provide some specific numbers 
that might be interesting to experimentalists who design a QKD protocol. 



* Namely, not asymptotically large. For instance, n of the order of 10* or 10^. 
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3 Eve's Attack 

In the used-bits BB84 protocol Alice encodes a string i in the bases of her choice 
b in the state \i)b which she sends to Bob via a quantum channel; Bob measures a 
string j using the same set of bases. In order to perform her attack, Eve prepares 
a probe, E, in a known (ancillary) state, which W.L.G. can be written as a vector 
|0)e and performs a unitary transformation U on the state 

|0)E|i)6 

where \i)b is assumed to have been intercepted by Eve. The resulting state 
U\0)E\i)b can be expressed in a unique way as a sum 

U\0Ui)b = J2\Elj)b\j)b (3.1) 

j 

where the vectors \E'-j)b are non normalized vectors in Eve's probe space. 

\E'i,j)b = b{j\U\Oh\i)b (3.2) 

Eve then sends the disturbed qubits to Bob, keeping her probe in her hands. We 
call the state above 

j 

"Eve-Bob's state", because it is the state in the hands of Eve and Bob together. 

Of course. Eve does not know the basis b when she performs her attack U with 
initial probe |0)e. Actually, Eve-Bob's state is not known to any of the players: 
Alice knows i and b. Eve knows U (namely, the set of states \El j)b) but she knows 
neither i, nor j nor b, while Bob knows nothing prior to obtaining b from Alice 
(except his knowledge of the protocol). In the next steps AUce sends b to Bob (and 
Eve), and Bob measures and obtains his sifted key j. Then Alice sends s to Bob 
(and Eve) and both Alice and Bob disclose the test bits ir and jr- The information 
bits are stiU kept secret. 

This section deals with two issues. 1. — symmetrizing Eve's attack; 2. — the 
attack on aU bits versus the attack induced on the information bits. 

Subsection 3.1 presents the symmetrized attack. Subsection 3.2 presents im- 
portant properties of the symmetric attack. Subsection 3.3 proves that symmetric 
attacks are at least as good for Eve as any other attack can be. Subsection 3.4 
distills the attack on the information bits, and finally. Subsection 3.5 analyzes the 
synnmetrized attacks, when test bits and information bits are treated separately. 

3.1 Symmetrizing Eve's attack 

For any attack {U, £}, we shall now define a different attack ^symj.^ ^j^^^j^ 

can be at least as good (for Eve) as the attack {[/, 5}, it is symmetric to bit flips, 
and it is simpler to analyze. The symmetric attack |[/sym £;sym| obtained by 
enlarging Eve's probe, adding a second probe, M, containing 2n qubits in a state 
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(1/2") J2m I^^Im, and transforming it and measuring it as described below. The 
attack is "symmetric" in a sense that it is unaffected by the choice of i by Alice, 
and this is true for any basis b. 

The symmetrization is done here in a physical way, namely, as a process that 
Eve can actually do if she wants to^. The symmetrization process can be done 
in a way that is always beneficial for Eve, and therefore, any attack, no matter 
how good it is, is no better than its optimal symmetrization. Thus, W.L.G., it is 
sufficient to prove security against all symmetric attack. In order to intuitively 
understand the design of these symmetric attacks (starting from any attack), we 
note that for the original attack, applying the attack (U) to a state i (B m gives 
U\0)E\i®m)b = Ej'\Elernj,)b\f)b - l^l©mj©™)bl.? ® with j = 
j' © m. The symmetrization is achieved by Eve in practice in several steps. 

We first present the symmetrization as if Eve knows the bases b: When 
the additional ancilla state is |m)M she applies her original attack after "shift- 
ing" i by m (namely XORing i with m, via bitwise Controlled-NOT gates): 
C/|0)e|« ® m)b\m)M = J2j \E'i(Bm,j(Bm)b\j ® m)b\m)M- Now we can see that 
averaging the original attack over i is equivalent to averaging the shifted at- 
tack over all values m. The averaging over m is easily obtained due to start- 
ing with a quantum state which is an equal superposition of all values of m, 
|03;)m = (1/2") Em I'^)m- Then Eve could always measure m, and continue with 
the same POVMs (where each POVM is a function of the values of it, • • •) as in 
the original attack obtaining her original asymmetric attack up to a shift of all val- 
ues by XORing them with m. Let us refer to this attack as the "trivial symmetric 
attack" jf/syn^^triviaij ^^so define a slightly stronger and more general 

attack in which Eve measures m on her additional probe, but continues with any 
POVM she finds appropriate. We call this attack the "simple symmetrized attack". 
Obviously, for a given U (and its modified attack, t/^^™), the optimal simple sym- 
metrical attack is better than the trivial symmetric attack, because potentially more 
informative POVMs are chosen. The most general symmetric attack {J7^^™, f^y™} 
generalizes this simple symmetric attack, as Eve can choose any measurement 
(rather than measuring m first). Clearly, the optimal symmetric attack (for a given 
U) is therefore at least as informative as the trivial and the simple symmetric at- 
tacks. 

Note that in the trivial symmetric attack, when Eve's second probe is measured 
yielding an outcome m, we get back the original attack, up to a shift by m. If 
the error rate in the original attack U is averaged over all i and the error rate 
in the new attack is averaged over all m, the resulting average error rate is the 
same. Thus, the trivial symmetric attack induces the same error-rate, and gives 
Eve the same information as the original attack. However, as we just explained, 
in the symmetrized attack {[/s)™^ £sy™} Eve can also use the state |m) in other 
ways than just measuring m. This modification cannot change the error-rate due 
to causality (Eve's measurement can be done after Alice and Bob completed their 
protocol). On the other hand, the optimal symmetrization (optimal POVM, S^^"^, 



' One can also view the symmetrization as a virtual process. This makes some differ- 
ences, but we do not consider this case here. 
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for each value of iT,b,.. .) will be at least as good as the trivial one, meaning 
that for any value of ir, b,..., it would not decrease Eve's information, while 
it could increase it. As a result of these two intuitive observations dealing with 
symmetrized attacks is sufficient, and any other attack cannot be better for Eve. 
We render these observations formally sound later on in Subsection 3.3, but we 
first must deal with the general case in which the basis b is not known to Eve by 
the time she performs the symmetrization. 

The fact that Alice's state is also defined by a basis b which is unknown to Eve 
makes the required symmetrization slightly more complex, because we would like 
to obtain ? ® m no matter what the basis is. This is done as follows: We define the 
new attack in terms of a previously fixed basis; we will choose the computational 
basis, i.e. the basis {|«)o} (for 6 = 0, the zero string). For each qubit sent by Alice, 
Eve attaches a new ancillary bit; her new ancilla (Eve's second probe, M) is thus 
a 2n qubit register, whose basis states are called |m)M- She then applies indepen- 
dently to each pair of qubits (Alice's qubit plus the attached qubit from the probe 
M) the unitary transform satisfying the equalities 5*10)010) = |0)o|0), 511)010) = 
|l)o|0), 5|0)o|l) = |l)o|l) and 5|l)o|l) = -|0)o|l) (if the computational basis 
is |0z), |lz) then this corresponds to performing a controlled ax(7z transforma- 
tion on each of Alice's qubits using the corresponding ancillary bit as control bit). 
If we evaluate S on basis vectors of the alternate basis |0)i = ^Tf'-I'^^ ~^ l^^-' 
|l)i = ^(|0)-|1)), we get immediately 5|0)i|0) = |0)i|0), 5|l)i|0) = |l)i|0), 
5|0)i|l) = — |l)i|l) and 5|l)i|l) = |0)i|l); as a consequence, for each such pair 
of qubits, we can summarize the effect of S on basis states by the equality (where 
i, m and & are or 1) 

S\i)b\m) = {-l)^'®^'^^\i®m)b\m) . 

On 2n such pairs of qubits, the exponents simply add up and, for any string i, m 
and b of 2n bits we get 

SAM\i)b\m}M = © m)b\m)M (3.4) 

SiM\^)b\m)M = (-l)('®''®™)-|i ® m)b\m)M (3.5) 

where the subscript for S means it acts on Ahce's qubits (A) and the second probe 
(M), where the second equation is deduced from the first by using the fact that 
S^S = 1, and with S being a 2-*" x 2^" matrix. 

The symmetrized attack is therefore defined by the initial state of the additional 
probe |0a;)M = (1/2") \ni)M, and by the unitary transform 

Wy"' = (1e «) sI^){Uea 1m)(1e 5am) (3.6) 

where Uba is Eve's original attack on Alice's qubits (A) and Eve's first probe 
(E), 5 is applied onto Alice's qubits and Eve's second probe, and 1e and 1m are 
the identity on Eve's first and second probe space respectively. This completes the 
definition of the symmetrized attack. 
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3.2 Some basic properties of symmetric attacks 

3.2.1 The "Basic Lemma of Symmetrization": For any attack U, and for any 
basis b, we write slightly differently now by defining \Ef^J^')b via 



where both probes |0)e and |Oj;)m have been put together (adjacent to each other) 
on the left side, to clarify the definition of these \E^^p )(,. 

Given any attack U, with its j the symmetrization leads to these El^™'s 
that can now be described via the original E'^jS as follows: 



Lemma 3.1 For any basis string b 

m 

We refer to this Lemma as the Basic Lemma of Symmetrization. 



(3.7) 



Proof In order to calculate smoothly, we write (again) |0)E|«)fc|02;)M (instead of 
|0)E|Oa;)MK)fe) ill the order the Hilbert spaces appear in equation (3.6) defining 

Jjsym. 



U'nOh\i)b\0)M = 

2-"(lE«)5)t(C/«)lM)(lE«>5) 



= 2-"(lE®5)^(i7®lM) 

= 2-"(1e®5)^ 



J2\0}E\i)b\m) 

m 



= 2""EE(-l)^'*'''"l^«m)6|i)6|m) 
3 ™ 

which proves the lemma. □ 

The Lemma tells us (intuitively) that Eve gets a similar replacement of E'^ j by 
^iQm j®m whether she symmetrizes with respect to the computational basis or 
with respect to any other basis. This means that symmetrization with respect to the 
output bits or 1 results also in some form of symmetry with respect to the bases. 
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3.2.2 Symmetrization and the error-rate: For any attack (symmetric or not) the 
probability that Bob measures the string j in basis h if Alice sent i is given 
by p{j I = {Elj\Elj)i,. In particular, for symmetric attacks | 

i, b) = {E^j^'\El^^')b. As a consequence of the Basic Lemma of Symmetriza- 
tion (Lemma 3. 1) we can now establish a link between p^^'^{j \ i,b), the probabil- 
ity that (under the symmetrized attack) Bob measures j in basis b if Alice sent i, 
with p{j I i, 6), the corresponding probabiUty for the original attack. For a given 
b and i, the probability of some specific j = i (B c becomes the probability of c. 
Thus we can also conclude a link between p'*^"(c | i, b) and p{c \ i, b). The two 
main conclusions of the forthcomming lemma are that (a) — the probability (in 
the symmetrized attack) p^>""(c \ i,b) for a given i, is actually independent of i, 
as it is equal to p{c \ b), and (b) — the probability (in the symmetrized attack) 
p^^{c I b) is equal to the probability in the original attack, as it is equal to p{c \ b) . 

Lemma 3.2 For any i chosen by Alice and for any j = i® c 

fy^ij \i,b)= p^y^ii ®c\i,b) = 2-2" J2pii' ®c\i',b), 

i' 

(3.8) 

p'y^{c \i,b)= ® c I z, 6) = fy'^ij \i,b)= p{c \ b) , (3.9) 

p'y^{c I b) = p{c I b) (3.10) 
Proof Using the fact that the states |m) are orthonormal, we get 

p^y^{j\i,b) = {El^r\E^')b 

— 2 '^^{■^i®mj®m\-^i®mj®m)b by Eq. (3.7) 

rn 

= 2-2"^p(j©m \i®m,b) , 

m 

By assigning z' = z m this gives | i, b) = 2"^" X^., p{j ®i' ,b). 

With c = ?■ ® j we finally get p'>""(i ®c\i,b) = 2-^" ^ p{i' ®c\i', b). This 
completes the first part of the Lemma. 

By definition, the averaging over all i' means that 2-^" p{i' ® c\i' ,b) = 
p{c I b), so we get p'^^'^{i ® c | i, 6) = p{c \ b). We conclude that p'^'^'"{i (B c \ i,b) 
is actually independent of i, namely, \ i,b) = p(c \ b). For a given b and i, 

\i,b)= p'y^ii ®c\i,b)= p'y^ic \ i,b). This completes the proof of the 
second part of the lemma. 

We now start with p'*^™(i©c | i,b) = p(c \ 6). Then, averaging p*5'm(j0c | 
over all i means that 2"^" ^^.^^^^(j 9 c | = p'5''"(c | b). However, the 
summation is over equal terms [p{c \ 6)], so we finally get p*^(c | b) = p^'^™{i®c \ 
i, 6), proving the last part of the Lemma. □ 

3.3 Symmetric attacks are optimal for the eavesdropper 

We now show that for any attack {f/, f}, the attack {W^™, S^''^'^^^'^} leaves the same 
average error rate and also provides the same information to Eve as the original 



20 



E. Biham, M. Boyer, P. O. Boykin, T. Mor and V. Roychowdhury 



attack. The optimal symmetric attack (for a given U), in which the optimization 
is over all the possible measurements f leaves the same average error rate and 
provides information to Eve that is equal or larger than that of the original attack 
U. These results imply (see Lemma 5.2) that if the security criterion is satisfied 
for all symmetric attacks, then it is satisfied for all attacks. Let us recall that due 
to causality Bob's outcome will be the same whatever measurement Eve performs. 
Since symmetrization in one basis yields symmetrization at any basis, we may 
assume (W.L.G.) that Eve performed her symmetrization with respect to the basis 
used by AUce and Bob. In that context, if Eve uses the trivial symmetrized attack, 
and measures |m) in the standard basis, this is simply a replacement of i by i ® m 
and j by j ® m with respect to the original attack. Continuing by a POVM as in 
the original attack, now yields the same information as the original attack, while 
clearly Eve could do better, as earlier explained. 

In the following subsections we make the above intuition mathematically soUd. 
[Recall that the string s (where a position equal to 1 corresponds to an information 
bit in i whilst a indicates a test bit) determines two substrings of i, namely ij 
(information bits) and ir (test bits); after s is published by Alice we may identify 
\i)b with \iT)b\ii)b = \'iT)b \ii)b (this isomorphism depends on s, and is just a 
permutation of bits); note that the same modification appUes to \ j)b-] 

3.3.1 Symmetrization does not affect the average error-rate: As a corollary of 
Lenmia 3.2, when s is known, we get 

Corollary 3.1 

P'y"'[ci,CT I b,s]=^P[ci,CT I b,s] (3.11) 
P'y"'[cT\b,s]=P[cT\b,s]. (3.12) 

The first equation is a sUght modification of the third part of Lenoma 3.2 (due to s 
being published), and the second equation is obtained from the first by summing 
over aU c/. 

These results prove that the average error-rate is not changed when an attack 
U is replaced by any symmetric attack J7'5™. 

3.3.2 Eve's information is not decreased by symmetrization: Let E'*^'™ be the 
random variable whose values e are the output of Eve's measurement £^^, and 
note that the measurement is fixed at the end of the protocol, hence depends on 
the value of {iT,CT,b, s,S^}. For any particular attack U and particular value 
{iT, ct, b, s, ^}, the maximal value of /(A; E*5"" | i-^, Ct = ct, b, s, ^) corre- 
sponding to Eve's symmetrized attack and optimal measurement is larger than or 
equal to that obtained if she restricts herself to performing the trivial symmetric 
attack (namely, to measuring the |m) probe in the standard basis, and repeat the 
POVM of the original attack). 

Let us denote (E', M) the (multivariate) random variable where for each par- 
ticular value of m, E' are the random outputs of the trivial symmetric attack. Then, 
we have by the very definition of the optimal measurement that 

max 7(A; E'^ | ir, Ct = ct, b, s, > /(A; E', M | ir, Ct = ct, b, s, ^ , 
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where does not stand for one POVM but for a set of POVMs, one for each 

value of ix, ct, b, s, ^. We would Uke to bound 

/(A; E I It, Ct = ct, b, s, H) = ^ P[iT, ^ \ ct, b, s]I{A; E | ir, Ct = ct, b, s, 

We must note the important fact that the POVM is only fixed at the end of the 
protocol, hence a different POVM £ is chosen for each fixed value of it, ^ (as 
the other parameters are fixed here). The same is true for the trivial symmetrized 
attack 

J(A;E',M|It,Ct = ct,6,s,H) 
= ^ P[iT, ? I CT, b, s]/(A; E', M I ir, Ct = ct, b, s, , 

and the same is true for the optimal synmietrized attack (for a given U) 

max7(A; E*5"" | It, Ct = ct, b, s, H) 
= V PHt, (. I Ct, b, s] max /(A; E'^-m i Ct = ct, b, s, (,) . (3.13) 

With that definition we are promised that symmetrization is optimal for each par- 
ticular value of {ir, ct, 6, s, ^} and the resulting information is optimal also after 
summing over it, ^: 

max /(A; E'>™ | It, Ct = ct, b, s, H) > 7(A; E', M | It, Ct = ct, b, s, H) 

Now we are ready to present the main result of this subsection. An optimal 
symmetrization of U will not decrease the information accessible to Eve in the 
following sense: 

Lemma 3.3 For any fixed U, ct, b, s, 

max /(A; E^^"" | It, Ct = ct, 6, s, H) > /(A; E | It, Ct = ct, 6, s, H) 

(3.14) 

Proof For any given U, the optimal symmetric attack is at least as good as the 
trivial symmetric attack for each value of CT,b,s,iT, C, and therefore also after 
summing over zt, 

Proving formally that the trivial symmetric attack is as good as the original 
attack is less trivial**. Actually, for simplicity, we only prove the relevant direction, 
namely, that the trivial symmetric attack is at least as good as the original attack: 

/(A; E', M I It, Ct = ct, b, s, H) > 7(A; E | It, Ct = ct, b, s, H) (3.15) 

For the details of that proof, see Appendix C. 1 . □ 

The above result means that we can use a bound on Eve's average information 
in the case of a symmetrized attack to apply to the unsymmetrized case. 

* Still, it is somewhat similar to the argument given when we analyzed the case in which 
Eve knows the bases. 
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3.4 Eve-Bob's state after the basis and the test bits are known 

When the strings b and s are given to Bob (and to Eve) then Eve-Bob's state 
(Eq.3.3) ought to be modified. The sifted keys and \i)b, the resulting error 
syndrome c = i® j. Eve's attack U, and Eve's unnormalized states E[^^ are now 
expressed differently, so that the test bits and information bits are written sepa- 
rately. Equation (3.1) can thus be rewritten as 

U\QU\iT)b\ii)b = \K,ii,jT,jMjT)b\ji)b (3.16) 
j 

where the right-hand side corresponds to Eve-Bob's state (1'^^)) for a given i = 
itH, and where 

\KM,jr,n)b = b{jT\b{3i\U\0)4iT)bVi)b . (3.17) 
The probabihty that Bob measures \ jT)b\ji)b is 

p{jT,jl\iT,il,b,s) = {K,i„j^jAK,i„j^J,)b . (3.18) 

Once ix is also given to Eve and Bob, it is considered as a fixed parameter 
instead of a variable in the equation above. When Jt is measured, the right-hand 
states Ylj mT,ii,]T,]i)b\jT)b\ji)b are projected onto the particular Jt obtained 
by the measurement on the test bits, and 2" basis states are left in the summation, 
corresponding to the 2" possible values of the n information qubits in Bob's hands. 
Formally, the projection is described via OVl'^i'i) = Ej^ \EiT,ii,jT,ji)b\ji)b- The 
projection should now be followed by a normaUzation of the state, thus modifying 
Eve-Bob's state to become 

IV'i.) = E / r 1-^ ■ . =,\^'^M,jMji)b ■ (3.19) 

With pijrlir, ii, b, s) = J2jj P{jT,ji\iT, ii, b, s) and using Eq.(3.18) we get that 
the normalization factor (due to the projection on jV) is the square root of 

p{jT\iT, ii, b, s) = Y.^E[^,^i,3T,n \KM,3T,n)» ■ (3.20) 



Let us now define' 



\Eijjj)b,s = / ,. .. . , A E'iT,i,,jT,3i)b ; (3-21) 

\/p{3TVT,ii,b,s) 

so that the resulting Eve-Bob's state can be written more economically in the form 

\i>i,) =Y,\Eiuh)b,s\3i)b . (3.22) 



' The expression \Eijjj)b.s is also a function of the parameters ir and jr (which are 
known to Eve by now), but. writing the expression as \Eij ,jj)b,s,ij.,jj- looks cumbersome; 
therefore, for convenience, we did not write them in the expression, while we keep b, s to 
remind us that the bases and the test are known. 
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From Eqs. (3.18, 3.21) and the conditional probability formula [p{ab) /p{a) = 
p{b\a)] we get 

{Eii,ji\Eii,ji)b,s =p{ji I ii,iT,jT,b,s) ; (3.23) 

with c = i e i this gives {EijfyQci\Ei,,ijQci)b,s = p{ii ® Ci \ ii,iT, jT,b, s) = 
p{ci I ii,iT,jT,b,s). 



3.5 Symmetrization — its impact on the test and information bits: 

We first prove that for symmetrized attacks various expressions become indepen- 
dent of ii: 

Lemma 3.4 

/^"Ot I ^T, H, b, s) = fy^ijT I ir, b, s) . (3.24) 

Proof As an immediate corollary of Lemma 3.2 (that says that p*^'°(c | i,b) = 
p(c I b)) when s is known, we get 

f^"'{cT, ci 1 ix, ii, b, s) = p[cT, ci \b,s] . 

Recalling that ct = ir (B jx and cj = ij (B ji, this implies that for any m'j 

p'^'^UtJi e m'j I ir, ii m'j, b, s) = p'^'^ijrji \ ir, ii, b, s) . 

If we sum both sides of this equality overjj we getp*'""(jT | iT,ii® mi, b, s) = 
psyin(jy I irp^ij^b, s) which means that the probability is independent of ij, 

p'^^Ut I IT, ii, b, s) = p'y'^ijT I IT, b, s) . 

□ 

As a corollary of the above Lemma, notice that for symmetric attacks. 
Corollary 3.2 

p''"'{ii\iT,jT,b,s) = 1/2". (3.25) 
Indeed, using the Bayes rule (on {Jt; ii}) 

sym/- I- ■ u \ P'^^'^Ut \il,iT,b,s) i- . ^ 1 

P^ ill lT,jT,b,S) = ; ; ; («J «T, 0, s) = — 

^ ' ^ p'y^ijr \iT,b,s) Vil J> > ; 2" 

where the last equaUty results from Eq. (3.24) and the fact that all bits of i, b and 
s are chosen independently [sop'*^"(i/ | ir, b, s) = 
Another important consequence of Lemma 3.4 is: 

Lemma 3.5 For the information bits: 

1- {EZ'^ii®ci\E7Zk,,u®c,®k,)b,s is independent of ii. 

2- T.j{EZZi\^Z®kj,o,®kj)b,s is independent of ii. 
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The proof is given in Appendix C.2. 

The next step is to show that for symmetrized attacks various expressions are 
independent also of bj. We proved in Lemma 3.4 that the normalizing factor for 
fixed It, Jt, b and s is the same for all the indices ij. In addition, that normaUzing 
factor does not depend on bj either: 

Lemma 3.6 

p'^'^Ut I ir, b, s) = fy^ijT I IT, bi, br, s) = p^^OV | ir, br, s) . (3.26) 

Proof In fact, Eq.(3.26) is true for any attack (symmetrized or not): 

pUt I ix, b, s) = p{jT I ir, bi, br, s) = p{jT \ ir, br, s) . (3.27) 

Intuitively, the fact that ij is not a given parameter actually means that we average 
over it (as p{a) = J2bPi'^' ^) = 'l2bPi^)pi^\^)^- Once we average over it, the 
relevant quantum bits are traced out, causing independence of 6/ as well. Thus, in 
general, j of one subset (such as Jt) is independent of b of another subset (such as 
bi). This is formally proven in Appendix C.3. Thus follows p^^'^iJr \ ir, b, s) = 
p''"'{jT\iT,bT,s). □ 

As a trivial Corollary of Lemmas 3.4 and 3.6 we get the following: 

Corollary 3.3 For symmetrized attacks, the probability of jx satisfies 

f^^ijT I ^T, b, s) = /5'"(jT I IT, bT, s) , (3.28) 

and therefore, Eq.(3.21 ) is simplified to 
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4 Information vs. Disturbance 

In this section we analyze the information bits alone (for a given symmetric attack 
jjsym^ a given input ir and outcome Jt on the test bits, and given bases b and choice 
of test bits s). When no ambiguity arises, the indices b and s will be dropped; \i) 
will denote \i)b, \ii) will denote \ii)b, and will be denoted lEi^j^). 

Our result here applies for any hence in particular /or the optimal one. The 
optimization over Eve's measurement is avoided by using the fact that trace norm 
of the difference of two density matrices provides an upper bound on the accessible 
information one could obtain via any measurement when having the two density 
matrices as the possible inputs. 

4. 1 Eve 's state 

When Alice sends a state = \ii)bi for the information bits (where 6/ is the 
string actually used by her and Bob to fix the bases on information bits), the state 
of Eve and Bob together, = Y^j^ is fuUy determined by Eve's 

attack and by the data regarding the test bits. Eve's state in that case is fully deter- 
mined by tracing-out Bob's subsystem | j/) from Eve-Bob's state, and it is 

p'' =Y,\EnJ:){Ei,j,\, (4.1) 

31 

calculated given ir and jr- This state in Eve's hands is a mixed state. 

4.2 Purification and a related basis 

We can "purify" the state while giving more information to Eve by assuming she 
keeps the state 

\<i>i,)=Y.\Ei,,j,)\ii®ji) (4.2) 

where we introduce another subsystem for the "purification". Notice that the in- 
dices of (j) and of E are always information bits (n-bit strings). As a consequence, 
we could as well have written without ambiguity \(t>i) = \Eij)\i (B j) where 
the sum is taken over all n-bit strings j that can serve as index in \Eij). We will do 
this when expressions do not involve test bits. The term purification means differ- 
ent things in different papers, thus we explain it a bit more: A mixed state can also 
be obtained from a pure state in an enlarged system (the original system plus an 
ancilla), once the ancilla is traced out; the pure state of the enlarged system (or its 
density matrix) is called a purification of the mixed state. In a more general case, 
the state in the enlarged system is not necessarily pure, and then we refer to it as a 
"Uft-up" [7] of the state of the original system. 

The resulting purified state (i.e., any purification or any lift-up of Eve's states, 
for instance, the purification p^ = | (^j |), is at least as informative to Eve as p^' 
(of Eq. 4.1) is. This is because the density matrix p^' is exactly the same as Eve's 
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State would be if Eve ignored the ij ® ji register of Thus, any information Eve 
can obtain from her mixed state is bounded by the information she could get if the 
purified state was available to her. 

Note that the overlap between these purified states satisfies 

3 j' 

= '^{^i,j\Ei®k,jm) ) (4.3) 

3 

where all the indices are n-bit strings. 

As a consequence of Lemma 3.5 we immediately get for the information bits 
that {(pilcpi^k) is independent of I [meaning, independent of ij, see Eq. (4.2)]. 
Thus, it is only a function of k (namely, fc/), and we can write this as 

Corollary 4.1 

^k = {(t>Mi®k) ■ 

For the 2" Hilbert-space spanned by the purified states (corresponding to 
information bits), we define a Fourier basis and show that it is possible to 

compute a bound on Eve's information about the information bits, once the purified 
states are expressed in this basis. 

Definition 4.1 

^ I 

Using the above definitions and (1/2") ' = Sij, Eve's purified state 

can be rewritten as: 

Note that (,?.|r7.) = ^EiEki-'^y'HMM = ^ Efc(-l)'-'^fc- In 
terms of Eve's states we can write 

di = iVih) = ^EE(-l)"'E(^'.^l^'®'^.^®fc)M • (4.5) 

I k 3 

Proposition 4.1 For symmetrized attacks, {rjj \rii) =0 ifi ^ j. 

Proof Note theit{r,j\r,i) = ^Eii-'^)^'"''^'' Eki-^Y'HMM- 
Since {^i\^iQk) = ^fe is independent of I, we see that: 

; k 

= 4'5,,E(-i)^'=#fc 

k 

The above proposition is used to prove Lemma 4.2. 
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4.3 Eve's state and probability of errors induced on information bits 

In this subsection we show that the probability of any error string Eve would have 
induced if the conjugate basis was used for the information bits, is a simple func- 
tion of the (i, s (of Definition 4.1), hence a function of the overlap of Eve's purified 
states. For any attack {it and jr being fixed once and for all), any b and s, we have 

P[C7 = ci I ii,iT-,jT-,h,s\ = {Eij^ijQc,\Eij,ij®ci)b,s ■ (4.6) 
SeeEq. (3.23). 

For any symmetrized attack and any h and s the error distribution in the infor- 
mation bits is 

= ^''''"[C/ = ci I ii, itJt, b, sjfy^iii I irjT, b, s) 

ii 

namely, the average probability of an error syndrome c/ on the information bits 
(when the test bits, basis and sequence are given). The first equality is derived 
using standard probability theory (p(a) = J2bP(^\^)Pi^)^ second is due 

toEq. (3.25) and Eq. (4.6). 

Identity (4.7) applies for aU strings b and s and, in particular, for b^ = b® s 
we get 

P^nCj = cj I iT,3T,b\s] = ^J2(EiZ.eJE^,ec>,s ■ (4.8) 

ii 

The basis b^ is a basis where the basis for the test bits is the same as b, but the 
basis for each information bit is opposite. With a little algebra, as shown in Ap- 
pendix C.4, we can express |-E-^Xecr)b°>s ^ terms of the l^^ij^^ec/)*'.*- Then, 
doing this for the right-hand side of Eq. (4.8) we get the right-hand side of Eq. 
(4.5) with i = cj; this means that we get the following 

Lemma 4.1 

P'y^[Ci = ci\iT,jTy,s]=dl . (4.9) 

The proof is presented in Appendix C.4. Note that the rf, used here are those of the 
symmetrized attack. 

Put differently, the term d^^ defined in terms of the actual bases used by Alice 
and Bob is equal to the probability of the error syndrome c/ on information bits 
had Alice and Bob used the conjugate bases on information bits. As we shall soon 
see, these diS actually provide a measure of the information Eve could get from her 
purified states, therefore leading to a novel information versus disturbance result. 
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4.4 Bounds on Eve 's information - the one-bit key case 

In this subsection we much improve upon a result obtained in [7] (the result was 
derived for the collective attack). Eve's information about a particular bit of the 
final key (even if all other bits of the final key are given to her) is bounded. We 
take into consideration the error-correction data that is given to Eve, and we do 
it more efficiently than in [7], hence we obtain a much better threshold for the 
allowed error-rate. 

Let us first discuss a one-bit final key a, defined to be the parity of a substring 
of the input i/. The substring is defined using a mask v, meaning that the secret 
key is a = u • i/. (In the general case, the key is defined as the string a = iiP-^j^ 
where P-pA is an m x n matrix; c.f. subsection 2.1, item II. 7). Bob first corrects 
his errors using the error correction code data, hence he learns Alice's string i/. 
Eve does not know ij, but she learns the error correcting code C used by Alice 
and Bob as well as v and the parity bits ^ sent by Alice to help Bob correct the 
sequence he received. All the possible inputs ii that have the correct parities ^ for 
the code C form a set denoted Q = {ij \ ijPj = £,}. 

When the purification of Eve's state is given by |(/>j) the density matrix is = 
In order to guess the key a = v ■ i, Eve must now distinguish between 
two ensembles of states: The ensemble of equally likely states (these states 
are equally likely due to Corollary 3.2), with ij g Q (i.e. ijPc = and key 
a = ij ■ V = 0, and the ensemble of (equally likely) states with ij e and 
key a = ii ■ V = 1. For a G {0, 1} these ensembles are represented by the density 
matrices po = Po{v,£,) and pi = pi{v, ^) defined by: 



and Eve's goal is to distinguish between those two. Note that the two density ma- 
trices Pa{v, are the lift-ups of the density matrices really known to Eve, namely, 
matrices in which the sum is over the states of Eq. (4.1) rather than a sum over 
their purifications. 

A good measure for the distinguishability of po{v,0 and pi{v, ^) is the opti- 
mal mutual information (known as the accessible information) that one could get 
if one needs to guess the bit a by performing an optimal measurement to distin- 
guish between the two density matrices, when the two are given with equal prob- 
ability (of half). This information will be called the Shannon Distinguishability 
(SD = SD{po, pi)) to emphasize that it is a distinguishability measure. If v is the 
string used to define the one-bit key A sent by Alice, then, due to the optimality 
of SD, we get (for any synometric attack) 




(4.10) 



IiA;E'y^\iT,jT,b,s, 



0<SD{po{v,0,Pi{v,0) 



(4.11) 



where E**^™ is the random variable corresponding to Eve's actual measurement in 
the synometrized attack. 
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Let vi, . . . ,Vrhe the rows of the r x n parity check matrix Pc of the (n, k, d) 
code C where r = n — k. The matrix Pc is assumed of rank r and so, the r "parity- 
check strings" Vi,V2, ■ ■ - Vr (that are known to Eve) are Unearly independent. Let 
Vr be the r-dimensional Unear space generated by {vi, . . . ,Vr}- Then, Vr = {vs \ 
s € {0, 1}''} where, by definition'^ Vs = J2l=i ^i^i- For G Vr, Eve knows 

if ■ Vs because she knows all the ^; and ij ■ Vg = where = ^ 
consequence. Eve has total knowledge of the key if a = ij ■ Vg for Vg GVr. Notice 
that Vr is nothing but the dual code C""- of C which can be viewed as the set of all 
the parity strings for C. 

For any v € {0, 1}", let v be the minimum Hamming distance rfjj(w,C"'") 
between v and all the strings in C^. This means that 



The value v will prove to be a security parameter. We use here, as in [7], Eve's puri- 
fied states = ^;(—l)*''rf;|)7i), and the resulting densitymatricesofEq.(4. 10). 
We now show that 

Lemma 4.2 For any ^ e {0, 1}'', any (n, k, d) code C with r x n parity check 

matrix Pc of rank r — n ^ k and any v ^ the Shannon distinguishability 
between the parity and the parity 1 of the information bits over the PA string, v, 
is bounded above by the following inequality: 



where v = duiv, C-^) is the minimum Hamming distance between v and C-^ and 
Pb{v, defined by Eq. (4.10). 

See proof in Appendix D.2. As that proof was developed from methods used in [7] 
we present in Appendix D. 1 the preliminary analysis we did for the joint attack, 
an analysis that was based on using the tools of [7]. Appendix D.2 then presents 
improved tools leading to the result described in Lemma 4.2. Appendix D.2 is self 
contained yet reading Appendix D.l may help the reader to better understand the 
motivation and the development of the tools used for this proof. 

The result of Lemma 4.2 gives an upper bound for Eve's information about the 
bit defined by this privacy amplification string v. In order to get a useful result, 
namely, an information versus disturbance result, we now prove a proposition in 
which the bound on Eve's information is expressed in terms of the probability of 
error on the information bits in the conjugate basis. 

Proposition 4.2 For any ^ G {0, 1}'', any (n, k, d) code C with r x n parity check 
matrix Pc of rank r = n— k and any v ^ C-^ 



Note that the vector s is used now to define the possible vectors Va in the span of the 
parity-check strings [this is in addition to s being used as the 2n-bit string defining the test 
bits and the information bits]; The bit si is the I'th bit of s. 



v= min dH{v,v') = min \v (B v' 




(4.12) 




(4.13) 
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where v = rfff(u,C^) is the minimum Hamming distance between v and C"*", 
ci = ii® ji, ^ = iiPc , the key is a = ij ■ v and 6° = 6 ® s. 

Proof 

7(A;E^y"> I iT,jT,b,s,0 < SD{po{v,0, Pi{v,0) by Eq. (4.11) 



<2 df by Lemma (4.2) 



2 / psym[Cj. = I I b°, s] by Lemma (4.1) 

Vi'i>i 



2WP^>"" |C,| > ^\iT,jT,bO,s 



□ 



Notice that the bound obtained in the previous proposition holds for all ^, that is, 
it is the same whatever is the syndrome sent by AUce to Bob to help him correct 
his information bits. 

Equation (4.13) bounds the information of Eve (about a one-bit key) using 
the probabiUty of the error strings in the other basis, and it completes the basic 
information versus disturbance result of our proof. Previous security proofs (for 
simpler attacks), such as [17,9,7] are also based on various information versus 
disturbance arguments, since the non-classicaUty of QKD is manifested via such 
arguments. 

The result is expressed using classical terms: Eve's information is bounded us- 
ing the probability of error strings with large Hamming weight. If only error strings 
with low weight have non-zero probability, Eve's information becomes zero. Such 
a result is a "low weight" property and it resembles a similar result with this name 
which was derived by Yao [35] for the security analysis of the error-free quantum 
obUvious transfer (and QKD). 



4.5 Bounds on Eve 's information - the m-bit key case 

The case of an m-bit key a is closely related to the one-bit case. The only differ- 
ences are that the upper bound is multiplied by to, and that v is defined differently 
in order to take into account the privacy ampUfication code (in addition to the 
error-correction code). 

In terms of the bound [the R.H.S. of Eq. (4.13)], the case of an m bit key a 
follows from that of a one-bit key if we use the following lenmia: 

Lemma 4.3 Let A = (Ai , . . . , A^) be defined by m random variables. Let E be 

any random variable. If I [Ai] E) < F and for all J, 1 < J < to — 1 and all 
ai, . . . , aj, /(Aj+i; E \ ai . . . aj) < F then /(A; E) < mF. 

Proof Note that 

/(Aj+i;E I Ai...Aj) = ^ P(ai,...,aj)/(Aj+i;E I ai...aj) 
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,aj)F < F. 



The lemma follows from the above and the chain rule for information (see Ap- 
pendix B.l), 



Next, in the particular case at hand, we want to bound Eve's information about 
the m-bit key given the values ir, jr, b, s and ^ she learned. This means we want 
to bound /(A;E'*^™ | iT,jT,b,s,£^) where A is the m-bit key. This is nothing 
but a mutual information between A and E^^™ for some fixed (known) values of 
random outputs, and the above lemma thus applies. More precisely, it tells us that 
if some number F is an upper bound for J(Aj+i; E*'^™ | iT,jT,b,s,£^,ai... aj) 
then mF will be an upper bound for /(A; E*'^™; ixjjr, b, s, 0- Announcing ^ and 
ai . . . ttj is announcing publicly the bits vi ■ ij, . . ., Vr+j ■ ii, which is just the 
same as using the r + j strings wi , . . . Vr+j as parity strings of a code for which 
Proposition 4.2 applies. More formally. 

Proposition 4.3 Let Vi, . . . , Vr+m ber+m linearly independent n-strings and Vr' 
be the subspace c»/{0, 1}" spannedby {vi, . . . , u^'} fl < r' < r + m). Let Pc be 
the matrix whose rows are vi,...,Vr and P-pA the one with rows Vr+i Vr+m- 
Then for any ^ G {0, 1}'' 



where v = mmr<r'<r+m dnivr'+i, Vr>), ci = ii ® ji, ^ = iiPj, a = iiP^^ 
and b'^ = b®s. 

Proof See Appendix C.5. 

If we modify v to any value that is less than or equal to the minimum over all 
the Hamming distances dH{vr'+i,Vr') then equation (4.14) is satisfied with the 
modified v as well, as only the RHS increases. In particular this is true if we follow 
the definition given in Subsection 2.1 in item 11. 7; thus we define v to be (from 
now on) the minimal distance between any string v in the set of PA parity-check 
strings, and any string v' in the span of their union with the parity-check-strings of 
the ECC (the dual to the code). This formally means: 

Corollary 4.2 Let vi, . . . , Vr+m be r + m linearly independent n-strings. Let 
Pc be the matrix whose rows are vi,. . . ,Vr and P-pA the one with rows 
Vr+i, . . . , Ur+m- Let V^f'^ be the 2^~^"^~^ -dimensional subspace of {0,1}" 



/(A;E) =/(Ai,A2 



,...,A„;E) = ^/(A,;E| Ai,...,A,_i) . 



□ 




(4.14) 



32 



E. Biham, M. Boyer, P. O. Boykin, T. Mor and V. Roychowdhury 



spanned by a subset ofther + m— 1 parity strings which excludes the PA string 
Vr' (namely, the span ofvi, . . . , Vr'-i,Vr'+i, ■ . ■ , Vr+m)- Then for any ^ £ {0, 1}'' 



where v = niinr+i<r'<r+TO dnivr' jV^"), a = ii ® ji, (, = iiPj, a = iiP^j_ 
and b° = b®s. 

[First remark: in fact, for binary linear codes, the two v defined above, the one 
used in Proposition 4.3 and the one used in Proposition4.2 are equal, but this fact 
is irrelevant for our paper. 

Second remark: we could even follow a stricter definition and replace vhy d-^, the 
minimum (non-zero) distance of the code K-+m of dimension r + m (the space 
spanned by the ECC and PA strings Vi, . . . , Vr+m, see Subsection 2.1, item II. 7). 
Notice that the rows of the generator matrix of this code are those of Pc and P-pA-] 




(4.15) 
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5 Completing the Security Proof 

In this section we analyze the attack on the test and information qubits together (cf 
Eq. 3.16). For these states, we bound the weighted average of Eve's information 
(J-Eve)^ used in the alternative security criteria [see Eq. (2.4)]: 

P[Ct = ct] /(A; E|It, Ct = ct, B, S, H) . 

ct I T=pass 

We show that the above bound is exponentially small and therefore Lemma 2.1 
promises us that security is achieved. We generalize here previous (and more lim- 
ited) proofs [5,8,7] that information about parity bits is exponentially small, to 
be applicable for the most general attack on the channel — the joint attack. [A 
remark: We freely switch below between ct and jx whenever ix is given.] 



5.7 Applying the bounds to all attacks 



The maximum error rate that still passes the test is denoted pa (or fallowed)- This 
means that T = pass if and only if |ct| < npa- For v as defined in Corollary 4.2, 
and making use of that corollary we get, for fixed b and s: 



Lemma 5.1 



^ P^^" [Ct = CT% s] /(A; E^^" | It, Ct = ct, 6, s, H) 

\cT\<npa 



< 2mi P^y^ 



|C/|>^)A(i^<p„)|60,s 



The proof is given in Appendix C.6. 

Let U (and £) be some arbitrary attack and {[/sym £;sym| arbitrary sym- 
metrized attack resulting from U. As the Lemma above is true for any symmetric 
attack, it is also true for any {W^"^, S'^v"^^ and in particular for the optimal one 
(in which the optimal POVM is performed for each value of It, • • •) Thus, we 
immediately get from Lemma 5.1 



Corollary 5.1 



^ psy" [Ct = ct|6, s] max7(A; E'y™ j It, Ct = ct, b, s, H) 

\cT\<npa 



< 2mA / P»>"» 



V \Ct\ 
|C7|>-)A(^<p„)|60,s 



with the maximum [max J( )] defined in Eq. (3.13). 

We now prove that the above bound, with the same definition of v, also applies 
to the original unsynametrized attack (6 and s still fixed). 
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Lemma 5.2 



J2 P[Ct = CT\b, s] /(A; E | It, Ct = ct, b, s, H) 

\cT\<npa 



< 2mi P 



V \Ct\ 
|C/|>-)A(^<p,)|60,s 



Proof This follows from Lemma 3.3, CoroUary 5.1 and equations (3.11, 3.12) 
from Corollary 3.1: 

P[Ct = CT\b, s] 7(A; E | It, Ct = ct, b, s, S) 

|cr|<raPo 

= Yl P'""[CT=CT\b,s]I{A;E\lT,CT = CT,b,s,S) by Eq. (3.12) 

I CT I < npa 

< Y P'5'"[Ct = CT |6, s] max J(A;E*>"" I It, Ct = CT, 6, s,H) by Lemma 3.3 



\cT\<npa 



< 27724/ -P'^" 



(|C/|>^)A(i^<p,)|bO,5 



by Corollary 5.1 



By Eq. (3.11), P*>"" [C/ = c/, Ct = ct | 6, s] = P [C/ = cj, Ct = ct | b, s] for 
any basis string, in particular 6°; this concludes the proof. □ 

From now on, there will be no restriction of symmetry on the attacks. The results 
will hold for any attack whatsoever. 



5.2 Exponentially-small bound on Eve 's information 



For any esec and Pa, such that v > 2n{pa + Csec) Lemma 5.2 leaves the following 
bound: 



Corollary 5.2 



Y P [Ct = ct|6, s] 7(A; E | It, Ct = ct, b, s, S) 

\CT\<npa 



< 2mWP 



(— >Pa + esec)A(i^<p„)|60,S 

n n 



Thus far, there is nothing that causes the bound on the right hand side to be a 
small number. The result above is true even if Eve is told in advance the bases of 
Alice and Bob (the string b), or if she is told in advance which are the test bits and 
which are the used bits (the string s), two cases in which Eve easily obtains full 
information about the secret key a. 
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Only Eve's lack of knowledge regarding the random strings b and ,s provides 
an exponentially small number at the right hand side. Since Eve must fix her at- 
tack before she knows the basis or the test-bits choice, we compute the average 
information for a fixed attack over all bases b and test-bits choice s. Averaging 
over b means that we sum over all 6's and multiply each term by the constant 
p{b) = 1/2^". The averaging over b removes the dependence on the particular 

basis [due to T,bPi^\^)Pi^) = T,bPi^^ ^) = -P(^)]- 

Averaging over s means that we sum over all s's and multiply each term 
by the constant p{s) = 1/ (^^) . The averaging over s removes the dependence 
on the particular choice of which bits are the test bits [due to = 

Lemma 5.3 Let T = pass iff \ct\ < npa, and let 1'^^^ be the random variable 
equal to Isve = -^(A; E | it, Jt, b, s, ^) when T = pass and 1^^^ = otherwise. 
Then for any egec and Pa such that Pa + Cgec < v /2n we get 



(Ike) < 2m. P 



(^>Pa + e.ec)A(S<p„) 



Proof We already proved (Eq. 2.4) that 

(Ike) = E ^ [Ct = ct] /(A; E|It, Ct = ct, B, S, S) 

ct- |T— pass 

where T = pass iff |ct| < npa- Expanding the right-hand side, we get 

(lke)=E^'(^'^) E P[CT = CT\b,s]I{A;E\lT,CT = CT,b,S,S). 

Using Corollary 5.2 we obtain the first bound below; then using the fact that 
J2iPiV^i < \/J2iPiXi, and that p{b, s) = p{b°, s) = 2-'^"p{s) (b and s be- 
ing chosen independently) we get the second bound; finally noting that summing 
over b is the same as summing over 6°, we get the third bound: 



(Ike) <Ep(^'^)2"^V^ 
b,s V 




<2m E2"^"P(s)^ 



b,s 



(— >Pa + esec)A(l^<Pa)|&°,S 

n n 



2m WP 



(^>Pa + W)A(^<p.) 

n n 



□ 



For a long string, the test bits and the information bits should have a similar 
number of errors if the test is picked at random. The probability that they have 
different numbers of errors should go to zero exponentially fast as shown in the 
following lemma. 



36 



E. Biham, M. Boyer, P. O. Boykin, T. Mor and V. Roychowdhury 



Lemma 5.4 For any e > 0, P 



(^>Pa + e)A(^<p„) 



|Ct| 



Proof This follows directly from Hoeffding's law of large numbers [22]. The de- 
tails are given in Appendix C.7. 



5.3 The main results 

We are now in a position to state and prove our main results. 

Proposition 5.1 If pa and egcc and the ECC+PA codes are such that Pa H~ ^sec 

< 

v/2n with v = m.m^t^_^_idH{vr' ,V^1^'^) where is the Hamming distance, 
Vr' is a parity-check string, and V^J''^ is the 2''+"*"^ space which is the span of 

Vi,... ,Vri-l,Vr' + l, ■ ■ ■,Vr+m, then 

where 1'^^^ = Isve if \ct\ = Kt © jrl < npa (test passed) and I'^yg = 
otherwise. 

Proof This follows immediately from Lemma 5.3 and Lemma 5.4. 

Theorem 5.1 Ifpa and egcc and the ECC+PA codes are such that pa + ( sec < v/2n 
with i) = minj^t'"^! rf/f (ur' , y^?"^) where dn is the Hamming distance, v^' 
is a parity-check string, and V^J''^ is the 2''+™^^ space which is the span of 
Vi, . . . ,Vr'-i,Vr'+ii ■ ■ ■ iVr+m, then for any yli„f„ > 0, Aiuck > such that 
AnfoAuck = 2to and any (3\afo and /3iuck such that /3info + Auck = esec/4> 

P [(T = pass) A {lEve > Arfo e-'^-"")] < Auck e-^'-^" (5.1) 

where T = pass ijf\cT\ < npa andlEve = E | it^Jt, b, s,^). 

Proof This follows from Proposition 5.1 if we let A = 2m and /? = eggj./4 in 
Lemma 2.1. 

Let us recall that, in addition to the security, one must also guarantee the re- 
liability of the final key. Namely we need to make sure that Alice's final key and 
Bob's final key are (almost always) identical. Note that Lenama 5.4 can be rewrit- 
ten: 

P [(T = pass) A i\Ci\ > [pa + erei)n)] < e-i'«' 
This also means that 

Corollary 5.3 The probability that the test is passed and that there are more than 
{Pa + ^redf^ errors in the information string is exponentially small; it is bounded 

by 

h = e~5"^^' . 

Once the ECC is chosen such that {pa -\- erei)n errors in the information string are 
corrected, Alice's and Bob's final keys identical except for an exponentially small 
probability bounded by h. This result means that ^rei = 1 and /3rei = Crei/^' iii the 
reliabiUty criterion of Subsection 2.5. 
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5.4 The existence of codes that provide security and reliability 

The above bound on Eve's information is exponentially small, provided there is a 
family of good linear ECCs satisfying also the requirement that v > 2n{pa + Csec) 
when PA strings are added. What we formally need is a family of (linear) ECC+PA 
codes satisfying the following two conditions: 

(1) The ECC can correct up to t = Paiiowed + Crei errors. For this to happen, we de- 
mand that the minimum distance d between the code words of the ECC satisfy 
d> 2t+l. Hence, ad>2t+l = 2n (paiiowed + erei) + 1 is sufficient. This code 
can correct all the errors in the information string, except for an exponentially 
small probabiUty bounded by h (of Corollary 5.3) of having more errors in the 
information string than expected. 

(2) The minimum distance d""", of the code words in the span of the dual code and 
the PA strings (hence, the augmented dual code is of dimension r + m) should 
have a minimum distance d-^ > 2n(paiiowed + Csec)- 

We discuss below the class of linear codes called random linear codes. Such 
codes cannot be easily decoded hence their practical usefullness is limited. It may 
well be that such codes can be replaced by the much more practical codes — 
the Reed-Solomon codes, without losing the security and reliability proven below. 
However, analyzing Reed-Solomon codes is beyond the scope of this work. 

For random linear codes (RLC's) the two requirements mentioned above can 
easily be satisfied. We can generate an m-bit secret key if we pick an (n, n — r) 
RLC, where r and m satisfy 

H2{2pa + 2erci + l/n) < r/n 

H2{2pa + 2esec) + H2{2pa + 2erel + 1/n) < 1 - iisecret , 

with H2 the entropy, and i?secret = m/n the bit-rate (namely, the efficiency of the 
QKD scheme) . If these conditions are not met then the random linear code provides 
neither reliability nor security; see Appendix E. At the limit of large n and e's 
close to zero we get as a bound 2H2{2pa) < 1. Then, Paiiowed < 5.50% satisfies 
the bound and hence this is our first threshold [see Appendix E for the detailed 
calculation]. It is the threshold in the case in which we want to have an exact 
bound on Eve's information and on the reliability of the final key, as a function of 
parameters chosen by the designer of the QKD protocol. This is important for a 
designer who needs to choose a sufficiently large n (that is not assumed to go to 
infinity) ; then Eve' s information is bounded as in Proposition 5 . 1 and the reliability 
is bounded as in Corollary 5.3. 

Note that if we let fallowed be sufficiently close to zero then (for sufficiently 
large n and small e's) a bit-rate i?secret close to one can be obtained. Specific values 
of Eve's information, the probability of error in the final key, and the resulting bit- 
rate are provided in Table 5.1; this is done by choosing egoc = Crei = e (for the sake 
of simplicity). As the parameters n, e, and fallowed can be chosen by the designer of 
the protocol, we present here 3 values of the reliability/security parameter, and we 
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Reliability 
Bound (h) 



n = 12500 
n = 50000 
n = 200000 
n = 800000 
n = 3200000 



e ^ 0.5% 

0.54 
1/12 
1/22026 
4-10-1* 



0.54 
1/12 
1/22026 

4 • 10"^* 
« 10-"° 



6=2% 

1/12 
1/22026 
4 • 10- 1« 
« 10-"° 







e = 0.5% 


e= 1% 


e = 2% 


Rate (-Rsecret =m/n) Pallowed 


= 2.0% 


41.7% 


33.5% 


18.5% 


-^^allowed 


= 3.5% 


18.5% 


11.7% 


0.007%* 


-Allowed 


= 5.0% 


0.007%* 


t 


t 



' Out of the allowed range (negative rate) 

* For the case of 2Paiiowed + 2e — 11.0% we calculate -Rsecmt by solving 

H2{2pa + 2e) + H2{2pa + 2e + 1/n) = 0.9999 - Rsecm- Here, security and reliabiUty 

can be obtained only with n > 10° or so 



Table 5.1 Summary of the characteristics of a QKD protocol that uses RLC: The "Relia- 
bility Bound", h, is calculated according to Corollary 5.3, and the maximal bit rate Rscaa 
is calculated by solving H^i^pa + 2e) + H2{2pa + 2e + 1/n) = 0.99 - Rxaet (with two 
exceptions, denoted with * in the table). The parameters in this table are closely related to 
the parameters used in experiments: n is related to the number of photons obtained by Bob; 
2n photons are used according to the used-bits-BB84 protocol and slightly more than 4n 
in the conventional BB84. The error rate considered here is achieved in many experimental 
setups, but might limit the distance of transmission. A photon rate of 1000 photons per sec- 
ond (if we count the photons obtained by Bob) was also reported in various experiments, so 
the resulting secret-key bit-rate i?secret can be sufficient for many practical usages. 



then calculate the reliability as a function of n, and we calculate the maximal 
bit-rate as a function of PaUowed- 

The "Reliability Bound" h is calculated according to Corollary 5.3, and (due 
to the equal e's) we can then get the bound on Eve's information (according to 
Proposition 5.1), which is exactly 2mVh. We consider the numbers we got for 
the "Reliability Bound" in the table to be "Good" when the probability of error is 
1/22026 or below. However, with h = 1/22026, Eve's information is 2m times 
1/148 which means that the users cannot really enjoy the allowed bit-rate, and 
must use a much smaller value for m, as Eve could then learn too much. When the 
"Reliability Bound" is 4 • 10-^^ or 10-"° there is clearly no problem at all with 
Eve's information, and m can be as large as the allowed bit-rate enables. 

For RLC one can actually obtain a better threshold for the allowed error rate 
(as first noticed by Mayers [27]), by modifying requirement (1) so that: 



" The term 1/n that appears in the parameter [2paiiowed + 2e+ 1/n] is negligible except 
in the two cases where the entire term approaches 1 1.0%. 

We choose a maximal bit rate by solving H2{2pa + 2e) -|- H2{2pa + 2e -|- 1/n) = 

0.99 - ^secret. 
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(1') The ECC can correct up to fallowed + Crei errors, with probabihty as close to 1 
as we wish. 

Namely, for any S, the ECC can correct up to Paiiowod + Crei errors, with probability 
smaller than 6. For RLC this is true (due to Shannon's bound, see for instance [25]) 
for any code having a minimum distance d> t+1 = n (fallowed + Crei) + 1 (rather 
than d > 2t + 1, that promises the success of correcting all errors), provided that 
r/n > -ff2(Paiiowed + Crei), and that a sufficiently large n is chosen. 

We show in Appendix E that requirements (1 ') and (2) can be satisfied and one 
can generate an m-bit secret key, if one picks an (n, n — r) RLC, where r and m 
satisfy the following: 



where iisecret = m/n. In the hmit of large n and e's close to zero we get as a 
bound H2{2pa) + H2{pa) < 1- Then, fallowed < 7.56% satisfies the bound and 
hence this is our improved threshold (which is identical to the threshold calculated 
by Mayers [27]). Note that Eve's information is still bounded to be exponentially 
small due to Theorem 5.1, but the reliability is now bounded only asymptotically 
as we did not find an explicit formula for the probability 5 of having an error (as a 
function of n) when the distance is d > t + 1. 

Asymptotically, with a rate -Rsecret < 1 ^ H2{pa) — H2{2pa) the final key is 
secure and reliable for the given ECC+PA. Note, as pa goes to zero, i?secret goes to 
1, which means that (asymptotically) almost all the information bits are secret. 

This threshold is based on the properties of the code, and other codes might 
give worse thresholds, but might have other desired properties. Random linear 
codes are not so useful as their decoding cannot be done efficiently. It is possible 
to make use of methods for approximate decoding (in which we are not always 
promised that the closest code word is chosen after the error correction), but the 
bound on reliability then need some adjustments. It might be better to replace the 
RLC by a code that can be decoded efficiently (e.g., Reed-Solomon concatenated 
code, with a random seed), and add random PA strings. The Hamming distance 
between the PA check-strings and the ECC check-strings is still bounded below in 
the same way as for the RLC (see [27]). 

Finally, it is interesting to note that the bound i?2(Pa) + H2{pa) < 1 (which 
was neither reported by us nor by Mayers) leads to the threshold of 1 1%, and such 
threshold was reported and proven by Shor and Preskill [33]. This probably means 
that the alternative proof presented there can, in some sense, modify requirement 
(2) in a way similar to the modification done here to change from (1) to (1') above. 
However, we could not see how the same modification could apply to our proof. 

A well-known way to improve the threshold further is to allow two-way com- 
munication as part of the ECCh-PA process. This technique is known as key distil- 
lation, see the basic idea described in [13]. The analysis of Eve's density matrices 



H2{pa + ey^i + l/n) < 

H2{2pa + 2esec) + H2{pa + Crel + < 



r/n 



1-R 



'Secret ) 
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becomes much more complicated in such a case, and we do not yet know if our 
proof can easily be adjusted to allow that'^. 

6 Summary 

We proved the security of the Bennett-Brassard (BB84) protocol for quantum key 
distribution. Our proof is based on analyzing Eve's reduced density matrices, on 
a novel information versus disturbance result, on the optimaUty of synmietric at- 
tacks, on laws of large numbers, and on various techniques that simplify the anal- 
ysis of the problem. 

Many of the ideas and the tools developed here can be found relevant when 
proving the security of other QKD schemes: the analysis of Eve's reduced density 
matrices, the purifications of her states, the usage of that purification for finding a 
relevant information versus disturbance bound, the use of Hoeffding's law of large 
numbers, the trace-norm-difference bound, etc. Other tools, such as the reduc- 
tion to the used-bits-BB84 protocol, and the extensive usage of symmetry could 
also provide some important insight, but are somewhat more specific to the BB84 
scheme. 
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After the submission of our paper, Gottesman and Lo proved that the Shor-Preskill 
proof of security can be adjusted to deal with such a key distillation, yielding an improved 
threshold forpaiiowed; see quant-ph/0105121). 
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A Security of BB84 

In the paper we prove that used-bits-BB84 is secure. Let us now present the orig- 
inal BE 84 protocol and prove, by reduction, that its security follows immediately 
from the security of the used-bits-BB84 protocol. 

The differences between the protocols are only in the first part. The first part 
of the BB84 protocol is as follows: 

I. Creating the sifted key: 

1. Ahce and Bob choose a large integer n » 1, and a number Snum, such that 
1 > ^num > 1/ -\/(2n). The protocol uses n" = (4 + 5num)n bits. 

2. Alice randomly selects two n"-bit strings, b" and i", which are then used to 
create qubits: The string b" determines the basis = 2:, and 1 = a; of the 
qubits. The string i" determines the value (0 or 1) of each of the n" qubits (in 
the appropriate bases). 

3. Bob randomly selects an n"-bit string, b which determines Bob's later 
choice of bases for measuring each of the n" qubits. 

4. Alice generates n" qubits according to her selection of b" and i", and sends 
them to Bob via a quantum communication channel. 

5. After receiving the qubits. Bob measures in the basis b 

6. Alice and Bob publish the bases they used; this step should be performed only 
after Bob received all the qubits. 

7. All qubits with different bases are discarded by Alice and Bob. Thus, AUce 
and Bob finally have n' n" /2 bits for which they used the same bases b'. 
The n'-bit string would be identical for Alice and Bob if Eve and natural noise 
do not interfere. 

8. Alice selects the first 2n bits from the n'-bit string, and the rest of the n' bits 
are discarded. If n' < 2n the protocol is aborted (a fake random key can be 
chosen in this case via the unjammable classical channel, so that the key is not 
secret; however the probability for this to happen is exponentially small). 

We shall refer to the resulting 2n-bit string as the sifted key. 

The second part of the protocol is identical to the second part of the used-bits- 
BB84 protocol. To prove that BB84 is secure let us modify BB84 by a few steps in 
a way that each step can only be helpful to Eve, and the final protocol is the used- 
bits-BB84. Each item below describes a different protocol, obtained by modifying 
the previous protocol. 

Recall that Alice and Bob choose their strings of basis b" and b in advance. 
Recall that the two strings are random. Thus, the first modification below has no 
influence at all on the security or the analysis of the BB84 protocol. Note that after 
the first modification Alice knows the un-used bits in advance. The second and 
the third modifications are done in a way that Eve can only gain, hence security 
of the resulting protocol provides the security of BB84. The last modification is 
only "cosmetic", in order to derive precisely the used-bits-BB84 protocol. This 
modification changes nothing in terms of Eve's ability. 

- Let Bob have a quantum memory. Let Alice choose b instead of Bob at 
step 3. When Bob receives the qubits at step 5, let him keep the qubits in a 
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memory, and tell Alice he received them. In step 6, let Alice announce b 
to Bob, and Bob measures in bases b 

From the announcements of b" and b Bob knows which are the used and 
the un-used bits, as determined in steps 7 and 8. Now, at the end of step 8, 
Alice and Bob know all the un-used bits, so they ignore them, to be left with 
2n bits. 

Note that in this modified protocol, Alice can calculate which are the un-used 
bits already at step 3 (if she wishes to know this). 

- Let Alice calculate the un-used bits and aimounce them already at the end of 
step 3. Let her also announce their bases C&^'.used ™d ^^?used) bits- values 
*un-used- Obviously, such announcements can only help Eve to gain more infor- 
mation (and maybe even to chose a better attack). Thus this step only reduces 
the security, so if the protocol defined here is secure, so is the original BB84 
protocol. 

- Let Alice generate and send to Bob only the used bits in step 4, and let her 
ask Eve to send the un-used bits (by telling her which these are, and also the 
preparation data for the relevant subsets, that is — ^^'.used *un-used)- Knowing 
which are the used bits, and knowing their bases and values can only help Eve 
in designing her attack, thus security can only be reduced by this step. 

Since Bob never uses the values of the unused bits in the protocol (he only 
ignores them), he doesn't care if Eve doesn't provide him these bits or provide 
them to him without following Alice's preparation request. 
After Bob receives the used and unused bits, let him give Eve the unused qubits 
(without measuring them), and ask her to measure them in bases ^y^^used- Hav- 
ing these qubits can only help Eve in designing her optimal final measurement, 
thus security can only be reduced by this step. 

Since Bob never use the values of the unused bits in the rest of the protocol, he 
doesn't care if Eve doesn't provide him these values correctly or at all. 

- Since Alice and Bob never made any use of the unused bits. Eve could have 
them as part of her ancilla to start with, and Ahce could just create 2n bits, 
send them to Bob, and then tell him the bases. 

The protocol obtained after this reduction, is a protocol in which Eve has full 
control on her qubits and on the unused qubits. Alice and Bob have control on 
the preparation and measurement of the used bits only. This is the used-bits 
BB84, for which we prove security in the text. 

One important remark is that the exponentially small probability that n' < 2n 
in Step 8 (so that the protocol is aborted due to insufficient number of bits in the 
sifted key) now becomes a probability that Eve learns the key. 

Another important remark is that the issue of high loss rate of qubits (e.g., due 
to losses in transmission or detection) can also be handled via the same reduction. 
Thus, our proof could apply also to a more practical BB84 protocol where high 
losses are allowed. The required modification to the protocol then is that Bob now 
will not add missing qubits, in step 1.3 of the used-bits BB84 protocol, and in an 
additional step (prior to step 1.4.) he will inform Alice of the bits he did not obtain. 

By the way, another practical aspect is imperfect sources (in which the created 
states are not described by a two-level system). This subject is the issue of recent 
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subtlety regarding the security of practical schemes [12, 1 1], and it is not discussed 
in this current work. 

B Information Theoretic Basics and Results 

B.l Basics of information theory [14] 

Let X and Y be random variables whose values are indexed by x and y re- 
spectively, appearing with probabilities p{x) and p{y). The entropy of a ran- 
dom variable is H(X.) = —^^p{x)\og2P{x). For two variables H{K\y) = 
— ^j;P{x\y)log2P{x\y) and 7J(X|Y) = ^,|^p(y)i?(X|j/). For any two random 
variables X and Y, the mutual information /(X; Y) = -ff (X) - i?(X | Y) de- 
scribes the decrease in the entropy of X due to learning Y; This function / is 
synmietric to swapping X and Y. 

For three random variables A, E, and X given to be x, the conditional mu- 
tual information is /(A; E | x) = H{A \ x) - H{A \ E,x) Then, the con- 
ditional mutual information for the three random variables is /(A; E | X) = 
J2iP{^')I{-^': E I x). Another case which is relevant is with four random vari- 
ables A, E, X and Y given to be equal to y, /(A; E | X, y) = J2x E | 

x,y). 

An important tool is the chain rule /(A, B; C) = /(A; C) + /(B; C | A). As 
a corollary from the chain rule and the positivity of mutual information, one gets 
/(A,B;C) > /(B;C I A). 

B.2 Bad Security Criteria 

B.2.1 A first bad security criterion and the SWAP attack: What one might like to 
obtain as a security criterion is that Eve's information given that the test is passed, 
is negligible. Formally, this puts a restriction on the values of jr'- for any it, only 
jT such that I jT ffi *T I < npa are allowed. Then, the criterion is 

J(A; E I It, Jt, B, S, H, T = pass) < A e"''" (B.l) 

with A and (3 positive constants, and J(A;E | I^, Jt, B, S, H, T = pass) = 
T,i.r,jT,b,s,iP('^T,jT,b,s,S, I T = pass)/(A;E | iT,jT,b,s,i,T = pass), with 
ct = It® Jt, and T = pass meaning that ct < npa. 

Unfortunately, the above bound is too demanding and is not satisfied in quan- 
tum cryptography. Given that the test is passed. Eve can still have full information. 
Consider the SWAP attack: Eve takes Alice's qubits and puts them into a quantum 
memory. She sends random BB84 states to Bob. Eve measures the qubits she kept 
after learning their bases, hence gets full information about Ahce's final key. In 
this case. Bob will almost always abort the protocol because it is very unlikely that 
his bits will pass the test. However, in the rare event when the test is passed. Eve 
has full information about Alice's key. So, given the test is passed (a rare event), 
information is still m bits, and the above criterion cannot be satisfied. 
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B.2.2 A second bad security criteria and the half-SWAP attack: Another poten- 
tial security criterion says the following: "For any attack, either Eve's average 
information is negligible or the probability that the test is passed is negUgible". 
Namely, if Eve tries an attack that would give her non-negligible information about 
a final key, she has to be extremely lucky in order to pass the test. This security 
criterion can be formally written as {lEve)P{T^ = pass) < A e^^"' with A and 
(3 positive constants. This suggested security criterion is different from the previ- 
ously suggested one, and it is satisfied by the SWAP attack mentioned above. 

Unfortunately, as observed in an earlier (archive) version of [27], this criterion 
is also inappropriate. Consider the half-SWAP attack in which Eve does nothing 
with probability half, and performs the SWAP attack with probability half. This 
half-SWAP attack gives an average information of exactly m/2, and it passes the 
test with probability larger than half. Obviously these two cases, getting a non- 
negligible information, and passing the test with high probability, wiU not happen 
in the same event, hence security can still be achieved, but it must be defined via 
less demanding criteria, such as those two used in the paper. 

B.3 Alternative Security Criteria 

B.3.1 Finding different expressions for First, we prove Eq.(2.3) namely, 

that {I'e^J = J(A; E | It, Jt, B, S, S, T = pass)P[T = pass]. 
By expanding of (I'^j^g) we get: 

(^Eve) = 5Z E I zt, jT, b, s, Op{iT,jT, b, s, 

= Yl ^(A;E I iT,jT,&,s,Op(«T,jr,&,s,^ I T = pass)P(T =pass) 

= ^(A;E I iT,iT,b,s,^,T = pass)p(iT,iT,&,s,C| T = pass)P(T = pass) 

= [ Y -f(A;E I iT,iT, 6, s,^,T = pass)p(iT,iT,&,s,^ I T = pass)]P(T = pass) 

= J(A; E I It, Jt, B, S, H, T = pass)P[T = pass] 

Indeed, p{iT,jT,b,s,S, \ pass)p(pass) = p(iT,jT, ^, s, ^, pass) and this value is 
equal to p{iT,jT, b, s, ^) if \iT ® JtI < npa and is otherwise. When the value 
is not 0, then the condition pass is automatically satisfied and can be put in the 
right-hand side of the mutual information. 

Second, we prove in full details Eq.(2.4) namely, that (I^^g) = 
E\cr\<np. ^[Cr = ct]/(A; E | It, Ct = ct, B, S, H). 

Note that I'^ve random variable equal to /(A; E | ixjjr, b, s, ^) when 
|«T ® JtI < npa (i.e. when T = pass) and to otherwise. As a consequence, 

{^Eve) = X) '^'Eve{iT,jT,b,S,C)p{iT,jT,b,S,i) 
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\cT\<npa iT,b,s,^ 

= E E n'^■,^\^T,CT = CT,b,s,OP[^T,b,s,^\cT]P[CT = 
= Yl P[Ct=ct]I{A;E\It,Ct = ct,B,S,S) 

B.3.2 Security against the Half-SWAP Attack: In the half-SWAP attack Eve has 
a probe \p) where p is a 2ri-bit string. With probabihty half she applies the unitary 
transform UQ\p)\i)b = |p)|*)b (she does nothing and then sends to Bob) and 
with probability half she applies the unitary transform Ui\p)\i)b — \'i)b\p) (swap) 
and sends \p) to Bob, keeping the probe in the state We can present a fully- 
quantum attack, and let Eve use an additional single-qubit probe |eo) initially in 
the state -ff |0), so that her full probe contains 2n+ 1 qubits. Her attack is defined 
by the unitary transform 

u\o)\p)\i)t, = mp)\ih 
u\i)\p)\i)b = \mt\p) 

which means that she uses her additional qubit |eo) to decide whether she swaps or 
not (using 2n Controlled-SWAP gates). Let us describe Eve's measurement: she 
measures her new bit eo in the standard basis and then, if she gets eo = 1, she 
measures the "probe" |ei) = in the basis b and gets i, else she measures her 
original probe \p) in the standard basis and gets p. Her two outputs (eo, ei), equal 
to either {0,p) or (1, i), define the random variable E = (Eq, Ei) (respectively). 
Formulated that way, the half-SWAP attack fits better our framework. Notice that 
p and a (Alice's final key) are completely uncorrelated and that i determines com- 
pletely a after the ECC and PA steps are completed. 

Now let us look at our security criteria, and observe /(A;E | 
It, Jt, B, S, H,pass)P[T = pass]. Of course p(pass) = 1/2. It is however a 
big mistake to beUeve that /(A; E | 1^, Jt, B, S, H, pass) is equal to m or m/2. 
Eve's information is equal to m if the following two conditions are satisfied: 

- the test is passed 

- she applied the SWAP attack 

otherwise, she gets information. So Eve's information is m, times the probability 
that both the test is passed and she applied the SWAP attack, which is equal to 
1/2 times the probability of passing the test when she swaps. This is exponentially 
small. 

In order to make this intuitive reasoning formal, let us use (a particular case 
of) the chain rule for mutual information (see Appendix B.l): 

/(E; A) = /(Eo, Ei; A) = /(Eo; A) + /(Ei; A | Eo) 

Now, Eq corresponds to a random bit generated by Eve, independently of i and 
thus independently of a. As a consequence /(Eq; A | iT,jT, b, s,^) = and thus 
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/(Eo; A I It, Jt, B, S, H, pass) = 0. This implies that 

7(E; A I lT,JT,B,S,H,pass)p(pass) = /(Ei; A | Eq, It, Jt, B, S, H, pass)p(pass) 
Now 

/(Ei; A I Eo,iT,jT,b,s,^) = ^7(Ei; A | eo,iT,jT,b,s,^)p{eo | iT,jT,b,s,^) 

eo 

If Co = then Ei is just the dummy output that is independent of a and and as 
a consequence /(El ; A | eo,iT,jT,b,s,S^) = 0. On the other hand, if eo = 1 
(written "swap" hereunder) then, Eve gets full information, i.e. the m bits of the 
key. We are thus left with the equahty 

/(E; A I iT,jT,b,s,^) = mp(swap | iT,jT,b,s,^) 

where, of course, Bob's outputs jt will depend heavily on the swap! We can now 
expand 

/(E;A I It, JT,B,S,H,pass)p(pass) =m ^ ^p(swap| iT,jT,b,s,^)p{iT,jT,b,s,^) 

= mp(swap Apass) 

= mp(pass I swap)p(swap) 

= ^p(pass I swap) 

which is exponentially small. 

In fact, the half-SWAP attack does not even make /(E; A | 
It, Jt, B, S, H, pass) large since this is equal to 

^p(pass I swap)— --^^ — - = my»(pass | swap) 
pass 1 

meaning that the first inappropriate security criteria is actually satisfied correctly 
if the Half-SWAP attack is used. 



C A Few Technical Lemmas 

C.l A Proof of Lemma 3.3 

We prove here Eq.3.15. It is actually possible to prove equality'^, but for our pur- 
pose inequality is as good, so we do not bother with proving equality. 

This is done by proving that /(A; M | It, Ct = ct, &, s, H) = 0. See the chain rule 
used in the first inequality below. 
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Proof Using the chain rule described in Appendix B.l, we get 

/(A;E',M|It,Ct = ct,6,s,H) 
>7(A;E'|M,It,Ct = ct,6,s,S) 

= 51 -P' I ct,6,s]7(A;E' I m,iT,CT,6,s,0 

= X! -P' [«T,^ I CT,6,s,m] J(A;E' I TO,iT,CT,6,s,C)pM 

For any fixed m, the effect of the symmetrizing transformation S is to replace i by 
i® m, (ct remaining fixed). In particular it becomes ir ® rriT and ii becomes 
ii ® mi and so ^ becomes (i/ ® mi)Pj = ^ ® miPj and so 

P'(iT, ^ I Ct, 6, s, m) = P(iT ® mr, ^ ® m/PjJ | ct, b, s) 
7(A; E' I m, ir, Ct = ct, b, s, ^) = 7(A; E | ® mr, Ct = ct, b,s,^® miPc) 

If we let i'j, = It ® niT, ^' = ^ ® niiPc and use the fact that the same value of 
^' is obtained 2""'' times, we get 

7(A;E',M|It,Ct = ct,6,s,H) 

> X] -P'[«T,^ i ct,&, s,m]7(A;E' I m,iT,CT = ct,6,s,0p("^) 

= 2"-'- ^ P[i'r, ^' I CT, 6, s]7(A;E I i^,CT = CT, 6, 

= 2"-'-2"+'- ^ I CT, 6, s]7(A;E I i'^, Ct = ct, 6, s, r)2-'" 

= E ^[^'t' ^' I s]7(A; E I i'^, Ct = ct, 6, s, ^ 
= 7(A;E|It,Ct = ct,6,s,H) □ 

C.2 A Proof of Lemma 3.5 

Using the Basic Lenmia of Synmietrization (Eq. 3.7) and the fact that the |m) form 
an orthonormal basis, 

m 

(C.l) 

By replacing «' and / by i ® u, j © m, i' Q) u and 
f © u in this formula, we get (i^-|"[j-e J^''^©«,j'eu)'' 

^ Z^m'^ '^J \-^ieM©m,j©Mem,|-^i'eM©m,j'©M©m/f'- 

Defining w; = u © m we get (-EX!je«l^iCj'e«)(' 
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2-'"E.(-l)^'®^'®^'®^"'-"'®"(i^ie«.je«.l^^i'e«.,i'e«,)f. and using (C.l) we 
finally get 

(^i.-enl^^^C'eJ'. = {-l)^'^^^'^^'^-{E7T'\Err)^ • (C.2) 

Considering information and test bits, if we let u = ujUt with ut = and use 
the fact (Lemma 3.4) that the normalizing factor for a symmetrized attack depends 
only on ir, jx, b and s (so we can divide both sides by the same normalization 
factor), we deduce from (C.2) the identity 

/ psym I psym \ _ _ i \ (i / 9 ® i'j ® ) • / c;sym I R^y™ \ , 

(C.3) 

For any n-bit string ui, we get by Eq. (C.3), by letting = i/ ® ki, j'j = 
ji © ki that (ii ® ji ® i'j ® j'j) ■ m = and so 

/ psym I pisym > _ / psym i psym > 

\-'^ii®ui,ji®ui \-'^ii®ki®ui ,ji®ki®ui /b,s \^ii®ki ,ji®ki /b,s ■ 

By writing j = i ® c we get 

/ psym I psym i _ / psym i psym i 

\-^ii(Bui ,ji®ci@ui\-^iiek,eui ,iieci(Ski®ui /b.s — Ai(Bc,\^ij®ki ,ii(Sci®ki /b.s , 

SO that the first part of the Lemma is proven [(£^|JX®C7 \^7Zki,ireci®k, > inde- 
pendent of if.] 

Summing over cj and changing back to ji we get that 
^ji^Zji\^7Zkr,jT®ki) is also independent of i/. 



C.3 A Proof of Eq. (3.27) 

We show that p{jT \ "iTibi, 6t. s) = pUt \ *t, b'j, br, s) for any choice of basis 
b'j on information bits. For any basis b'j, the change of basis between b'^ and 6/ is 
expressed by a unitary matrix U = [ui'^^ij) such that \i'j)b'^ = X^i^ Uii^,ii\ii)bi, 
= i^Nj)6'j and, of course, UU^ = WU = 1. From the defining 

equation I^J^^ ^^ j^ j^ )b = b{jT\b{ji\U\0)E\iT)b\ii)b (Eq. 3.17) and the above, 
we get 

\^iT,i'i,3T,j',)bT,b', = ^^'i'^i^li,j',\^iT,i,,jT,j,)bT,b, (C.4) 

For any 6, we have | iT,b,s) = Y.i,P{jT I iT,ii,b, s)p{ii \ iT,b,s). 
As p{ii I It, b, s) = 1/2" (since these values are chosen at random by Alice) we 
can deduce, using Eq. (3.20) pOtNt, ii, b, s) = Y.j:{E'^^,^J,jT,3I\^^T,^I,3T,3I)b^ 
that 

p{jT I IT, b,s) = — Y, {K,ii,3T,h \K,iT,3T,n)b (C.5) 

3l,il 

If we apply Eq. (C.5) in the particular case where the basis is b'j, bT, and we 
expand its right-hand side using Eq. (C.4), then, because of the unitarity of U, the 
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six sums reduce to two, yielding a term that is exactly equal to the right-hand side 
of Eq. (C.5) with basis 6 = 6/, br - That is: 

pUt I IT, b'„ br, s) = ^J2 '^^T,^u3T,n \K,r.,jT,n)» (C-6) 

□ 



C.4 A Proof of Lemma 4.1 
We start from Eq. (4.8), namely 

P^^» [C, = CI I iT,3T,b\s\ =^Y.^E^^i',^JE,,,,^^,),o^,. (C.7) 

with 6" = 6 ® s. From Hadamard, we know that the unitary matrix U = (ui/^ ) 

used to express in terms of the \ii)bi is defined by Wi^^i^ = 2~"/^(— 1)*^'*^ 
and, for that particular choice of b'j, Eq. (C.4) reduces to 

Due to Corollary 3.3 p^^'^ijrlir, 6t, s) is independent of 6/, so both sides can be 
divided by the same normalization factor, and this implies that 

Then, going back to Eq. (C.7) and replacing l-E^^™ 0g^)feo by those values, leaves 
P'y"'[Ci = ci\iT,jT,b^s] 

= — ^ _L(_l)("®»7)-fej'®(j>®Ji)-(fe/®c7)^£;sym |£;sym^^^^ 

The sum over kj is non zero only when ij (Bi'j = ji (B j'j = hj, 



and then it is 2", so 

ii,ji,hi 

= {VcAVct) = dlj 



where the last equalities are due to the calculation of the norm of ?7 in Eq. (4.5). 
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C.5 A Proof of Proposition 4.3 

We prove here Proposition 4.3 tiiat claims a bound on the m-bit key given a bound 
on 1 -bit key. 

Proof Let F{x) = 2yP''>™[|Cj| > | | iT,jT,b°,s]. For any r' such that r < 
r' < r + m, let C be the code whose parity check matrix Pc has the rows 
Vi,. . . ,Vr'. Then Pc has rank r' and C is an (n, k' , d') code with k' = n — r' . 
Moreover Ur'+i ^ C'""" = V^' . As a consequence, Proposition 4.2 applies and gives 
tiiat 

I{A':Wy^\zT,jT,b,s,e)<F{vr,+i) 

for a' = Vr'+i ■ ii = cij+i with j = r' — r, ^' = iiPj, = £,i ■ ■ ■ ^r^i ■ ■ - dj, 
Vr'+i = dH{vr'+i, K-') and 6° = 6 ® s. This can be rewritten 

/(A,+i; E^»"" I 2T, JT, 6, s, e, ai . . . a,-) < 

and the result follows from Lemma 4.3 by taking F = maxr<r'<r+m F{vr'+i) = 

F{v) for V = mmr<r'<r+m Vr' + l- □ 



C.6 A Proof of Lemma 5.1 
The Lemma says: 



^ P^^" [Ct = CT\h, s\ /(A; E^^-" I It, Ct = ct, h, s, H) 

I CT I < 



< 2mA P^y^ 



|C7|>^)A(i^<p„)|60,s 



Proof If we expand It and H in the expression /(A; E**^™ | It, Ct = CT,b, s, H) 
then we get 

J2 P'"" [Ct = ct|6, s] /(A; E^^™ | It, Ct = ct, 6, s, H) 

|cT|<nPa 

= E p'^'^i'T' = ^ I E^"" I ^' «' 

|cT|<npa,iT,^ 

E p^>'»(iT,iT,$|6,s)/(A;E^>'-|iT,jT,6,s,0 
E P^''"(»T,jT|6",s)2-'-/(A;E^5'm|i^^^-^^^^g^^). 

The last equality requires a detailed explanation: First, notice that p^^{jT \ 
iT,b,s,£,) = p^'""(iT I jt, fe, s) because the probability p^^'"(jT | iTib,s,ii) 
is independent of ii by Lemma (3.4) and the condition H = ^ means iiPq = 
which is a condition on jj. As a consequence, using the fact that (for any attack) 
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\b,s) = 2-^ p{iT \b,s)^ 2-" and p{iT, ^\b,s)= p{iT \ b, s)p{^ | 6, s) 
[so that p{iT, ^\b,s) = 2-("+'')], we get 



p'^'^iiTjT,^ I b,s)=p'y^{jT I iT,b,s,Op'"^{iT,^ I b,s) 



by the above 

by Lemma (3.6) 



= 2-("+'')[^?^y™(^T,JT I b°,s)/p'y"'{iT I b°,s)] by definition of | B) 



/^'"(^T,JT|60,s)2-'■ 



duetop(iT I 6°,s) = 2 



The result 

J2 P'""" [Ct = CT\b, s] 7(A; E^y-" | It, Ct = ct, 6, s, S) 

\cT\<npa 

E P^niT,iT|6°,s)2-'-/(A;E^y-|iT,iT,6,s,0 

|jT®jT|<nPa,iT,C 



< ^ 2-V^'»(iT,iT|6°,s)2mWP^y° 

|iT®iT|<npo,iT,C ' 



|C/| > -\iT,jT,bO,S 



now follows immediately from corollary (4.2). Using the fact that square-root is a 
convex function ^pi^^ < \/^PiXi so we get 

J2 P'"" [Ct = CT\b, s] 7(A; E^^™ | It, Ct = ct, b, s, S) 

|cT|<«Pa 



< 2m 



\iT®jT\<npa,iT,i 



\Cl\ > -\iT,jT,b°,S 



Finally, we get rid of the 2 factor by summing over ^ (each equally hkely), and 
we complete the proof using 



psyn 

|iT®jT|<npa,»T,€ 



|C/| > - |iT,iT,60,S 



P^n^T,iT|6°,s)2- 



_ psym 



|C/|>-,|CT|<npJ60,s 



□ 



C.7 A Proof of Lemma 5.4 
Let 



n J \ n 



= ^P{b)hb{pa,e) 
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with 



hb{Pa,e) = P 



|C/| 



> Pa + e 













\b 









This hi){pa,€) is the probabiHty that the information bits have e more than the 
allowed error rate, when the test bits have less than the allowed error rate averaged 
over all choices of test and information bits, for a particular basis b, and is given 
by 



|C/| 



> Pa 



A 



< 



Pa 



c, b 



P[C 



b] 



where c is over all possible error strings on all bits, test and information. Note that 
in principle P[C = c\b], can be calculated but we shall soon see that there is no 
need for it. 

Now we must note that 



|C/| 



> Pa + e A 



< Pa 



c, b 



does not depend on the attack. And in fact, in the aforementioned expression, the 
basis b is superfluous. Once the error string c is fixed, the values and 

depend uniquely on the random string s. In fact is the average of a random 
sampling without replacement of n bits taken from the 2n bits c whose mean ^ is 
^. From Hoeffding [22] we know that 



n 2 



(C.8) 



By definition |c| = |c/| + \ct\ and so 

2n 2n 2n 

Replacing by its value in (C.8) and simpUfying, equation (C.8) becomes 



> LJEl +e\C = c,b 
n n 



< e"5' 



(C.9) 



Now, since 



(^>Pa + e)A(^<p„)=^M>M + e 
n n n n 



we deduce from (C.9) that 

" |C/' 



> Po + e A 



<Pa] \ C = c,b 



< e"2' 



and consequently, 

hb{Pa,£) = P 

and 



> Pa 



\Ci\ 



\Ci\ 



> Pa + e A 















\b 


< e 




, n J 







< Pa 



< e-5' 
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D Eve's Information Versus the disturbance 

In this appendix we do not prove Lemma 4.2 immediately. We prove it later on, in 
the second subsection (the tight bound). For simphcity of the presentation, we first 
prove another Lemma which leads to a loose bound (with an additional factor of 
2''), for which the derivation is simpler. The bulk of the loose bound was derived 
in [7], and is adapted here to the analysis of the joint attack. The tight bound is an 
improvement over that derivation yielding a much better threshold for PaUowed: The 
loose bound leads to a threshold of less than 1%, while the threshold for the tight 
bound is 7.56%. One can skip directly to the second subsection if desired. 

Both the loose and the tight bound are derived using the fact that the Shannon 
distinguishability between the parity density matrix, po, and the parity 1 density 
matrix, pi, is bounded ([7, 18]) by the trace norm of po — pi and using the fact 
that we can easily calculate this trace norm when the purified states are given by 
Eq. (4.4). 



D.l The Loose Bound 

Exploiting the techniques developed in [7] (to prove security against any collective 
attack) we now present a bound which is applicable to the joint attack. 

We have already defined a purification of Eve's state: = J2i{~^y' ^Ivi) 
The density matrix for such a ) is 

p'' = \<i>i,){ci>iA = J2{-iy'<'''''^didi,\mm'\ (D.l) 

1,1' 

Recall that the final key is computed as b ^ v ■ ij. Eve does not know ij, but she 
knows V, and she knows (from the announced ECC parity string that ij is in the 
coset Q. Hence, in order to know the key. Eve must distinguish between the states 
= *C ffi c in that give parity 6 = and the states ij = © c in Q that give 
parity 6 = 1. For 6 e {0, 1} the reduced density matrix is 

cec 

= E E(-i)^^^*^^'^'*''^^'^H^.)(%i 

oec 1,1' 
u-(i{®c)=6 

where the sum is over values c that satisfy both the condition of being a code word, 
and the condition of leading to the particular parity 6 for the PA. 

Lemma D.l Let C be any linear code in {0, 1}" and a G {0, 1}" be such that 
a ^C-^ then 

J^i-iy-" = (D.2) 
cec 
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Proof Let {wi, . . . , Wk} be a basis of C. Define t G {0, l}*^ by ta = Wa ■ a, 1 < 
a < k; a ^ means that t is not the zero string. Let now h : {0, l}*^ ^ C be 
defined by h{s) = J2i<a<k SaWa', then h{s) ■ a = J2 SaWa • a = ^ata = s - t 
and so 

^(-l)'^'' = ^(_l)M«)-a = = 

cec s s 

□ 

Lemma D.2 For any {n, k, d) code C with r x n parity check matrix Pq of rank 
r = n — k, any ^ € {0, 1}'' and any v e {0, 1}" ?/ie Shannon distinguishability 

SD{po{v,^),pi{v,^)) where 

fceAveen f/ze parity and the parity 1 of the information bits over any PA string, v, 
is bounded above by the following inequality: 

SD{po{v,0,Pi{v,0)<2-+' Ij^df, (D.3) 

where v is the minimum distance between v and the code C^, i.e. the minimum 
weight ofv ® v' for any v' G C^. 

Proof The Shannon distinguishability between the parity and the parity 1 is 
bounded by the trace norm of po{v,^) — pi{v,^), see [7,18]. Let us calculate 
the required bound: 

1,1' VcGC / 

1,1' \cec 1 

From equation (D.2) we know the sum over C is zero except when I ®l' ®v € 
C"*" = Vr, i.e. when I' = I (B v (B Vg for some Vs e As a consequence: 

Po{v,0 - = 2 E i~'^y^"'°^d,idi(Sv(BvAfil){fll(Bv(BvA 

V,eVr I 

As already said, the trace norm of this matrix serves as a bound on the information 
Eve receives [7, 18]. 

SD{po{v,S,),p^{v,S,)) < \Tr\po{v,^)-p^{v,S,)\ 
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Using the above and making use of the triangle inequality for the trace norm, 
the following is obtained (where SD{po{v,^),pi{v,^))is denoted SDy for short) : 



SDy <Tr ^ {-^y'^''''^didi(Sy(SvAflm){V-m(Bv(Bv, 

Vs&Vr I 

XI (-l)*'^'"' X^c^i<^ie«e«. {\vi){m®v®vA + \vi(Bv(BvMfii\) 

Ve&Vr I 

,eVr I 



< 



< EE 

Vs^Vr I 



where the sign means the imaginary part. In the above, we made use of the fact 
that the trace norm is exactly computable for needed matrix. Now we will concern 
ourselves with bounding each of the terms didif^w^, where Ws = w ® Ws. 



' |i|>-^ 

= E 



Ws + X] didiQy 



E di'Qwsdi' 



\i\> 



\l'®Ws\<^ 



lf\l'(BWs\ < ^ then = \l'®Ws®l'\ < \l' ® Ws\ + < ^ + and 
so |Z'| > 1^. Therefore, 

didi^ws + E di'Qwsdi' < ^ didi^ws + E dv^wsdv 
|;|>1^ \v®ws\<^-^ Kl>-^ |i'l>-^ 

= 2 ^ didi^ws 

|i|>li^ 

a ^ — ' 

l^l>^ 

= a E '^^i®v,s + \ E 



where the last three steps are true for any real a, and real di , di^. 
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Due to the fact that the df form a probability distribution, any sum of them is 
less than or equal to unity. 

Edidi^ws <a+- Y] df 
I |,|>j^ 

<a+-y df 

|i|>f 

where {) — min^,^ |w0Ws| (remember that = u^Vg). Sunnming over all e Vr 
and setting a = '<^Yli\i\>^ df now leaves: 

SDy<2''+^ df (D.4) 

Vi'i>i 

□ 

Following the proof of the above Lemma, one can guess that it is not a tight 
bound since we sum over 2*" terms while most of them do not contribute to the 
sum (or contribute negligible values). This understanding led us to reach a tighter 
bound. 



D.2 Eve 's Information about one bit - Tight Bound 

We will now make a finer analysis of Eve's state after she learns the parity matrix 
and parity string ^. We start again from the equality: 

\4>i,) = Y.{-iy%) (D.5) 
I 

Let wi, . . . , f J. be the rows of Pc, and Vr+i — v. It is assumed that the sequence 
wi, . . . , Vr+i is linearly independent; it can thus be extended to a basis ui, . . . , w„ 
of {0, 1}". For any r' let Vr' be the span of {vi, . . . ,Vr'} and V^, be the span of 
{vr'+i, ■ ■ ■ , Vn}- For all r', the spaces Vr' and V^, are complementary; this means 
that any element I e {0,1}" has a unique representation I = m®n with m gV^, 
and n £ Vr'. 

For ^ S {0, 1}'', let denote some fixed n-bit string such that i^Pj = ^ 
(existence is guaranteed by the fact that Pc has maximal rank). For any ij G 
we have {ij — i^)Pj = ^ — C = and so i/ — i{ G C and thus, for any n G = 
C-^,{ii — i^) ■ n = i.e. ij ■ n = ■ ri. 

Putting those remarks together we get: 

= E(-i)""E(-i)"'"i^-®") 
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where r]'^ is defined, for each to G K-, by 
Let us write 

with the r^'^s normalized so that d'^ = (^/mhm)' the density matrix for 
reduces to: 

= I 

Due to Proposition 4.1 (the orthogonality of the rjms), we get that 
(??meni I'?mera2) = cxccpt whcn ni ® n2 = 0. Together with Eq. (D.6) this 
implies 

d'l = E '^'men ■ (D.7) 

neVr 

Recall that the final key is computed as 6 = v ■ ij. Oi course, Eve does not 
know ij, but she knows v and she knows (from the announced ECC parity string 
that ii e — {i^ Q) c \ c € C}. Eve wants to determine b. For b e {0, 1} the 
reduced density matrix is 

pb{v,o = ^;^^ E p''^' 

(j{®c)-j)=6 

We can now prove 

Lemma 4.2 The Shannon distinguishability between the parity and the parity 1 
of the information bits over any PA string, v, is bounded above by the following 
inequality: 

SD{po{v,^),p,{v,0)<'2 lY.'^h (D.8) 

Vi'i>i 

where v = dniv, Vr) is the minimum weight ofv ® Vsfor any Vs G Vr- 
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Proof The Shannon distinguishability between the parity and the parity 1 is 
bounded by the trace norm of po{v, — pi{v, ^): 

Po{v,C) - Pi{v,C) = 



1 


2"- 


-(r+l) 




1 


2"- 


-(r+1) 




1 


2"- 


-(r+1) 



m,m'eV^ VceC / 



Applying equality (D.2) the sum indexed by c is zero except when m(Bm' (Bv G 
C""- = Vp. But m © m' ® w € 1^'^ because m,m' and e V^'^. This implies 
m®m'®v e KnF/ = {0} and thus m' = m®v. Of course, with mem'ew = 0, 
the sum indexed by c is 2*^ = 2""'" and the coefficient is i. 

Therefore po{v,£,) — pi{v,S^) takes the very simple form: 



(D.9) 



We now claim that 

= U {to ( 



I' 1; 
if dH{m, Vr) < - then ^^/(to © v, Vr) > - 



(disj oint union) (D . 1 0) 
for any TO e {0, 1}" (D.ll) 



Claim (D. 10) follows from the fact that = v, V^'r is the span of {wr+i , . . . , f „} 
and V^_^_i is the span of {vr+2, ■ . ■ ,Vn}, and that those elements are all linearly 
independent. As for claim (D.ll) if djj (to, Vr) < v/2 and dnirn ® v, Vr) < ■0/2, 
then there is n and n' in 14- such that |to0 n| < v/2 and |to® n'| < v/2. This 
imphesthat |TO®n® to® u® n'| < {). HoweverTO® n® to® u® n' = n(Bn'(Bv 
and n®n'GVr and this contradicts the fact that v = dH{v,Vr) 
Now, using claim (D.IO), we can rewrite Eq (D.9): 

P0{V,0 - Pl{v,0 = 2 E (''md'm(Bv{\'n'm){v'm®v \ + \v'm(Bv) {ri'ml} 

As usual, the trace norm of this matrix serves as a bound on the information Eve 
receives. It is 

SD{po{v,0,Pi{v,0) < lTr\po{v,0-pi{v,0\ 
Writing SDy instead of SD{po{v, pi {v, ^)) for short: 



SDy < Tr 



I + \Vm 
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where the sign 3 means the imaginary part. Now we wish to give a bound in terms 
of the original values di. Using the fact that for any a > and any x, y (which are 
real numbers), < {a^x — a~^yY = ax^ + /a — 2xy, we get the general 
inequality 2xy < ax^ + a2/^ 

SDv < E '^^md'mev 



dif(m,K-)>«/2 



-r+l 

dH(m,K)<5/2 



< 



E 



+ 



E 



r/2 



V+l 
dH(TO,yr)>*/2 



dH(TO,yr)«'/2 



^"E^" + ^ E 

dH{m,Vr)>v/2 



< a 



levjreVr 



m 6 ,iieVr 

dHirn,Vr)>v/2 



byEqs. (D.10,D.ll) 
byEq. (D.7) 



Ii|>f 



Now we fix a = ',/J2\i\>^ d,f and obtain: 



SDy < 2 / E ^: 

V i'i>i 



(D.12) 



□ 



Note that v = dniv, Vr) where r is the number of parity check strings. 



E Existence of Codes for Both Reliability and Security 



Choosing a code which is good when n is large (for constant error rate) is not a 
trivial problem in ECC. A Random Linear Code (RLC) is one such code, however. 
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it does not promise us that the distances are as required, but only gives the desired 
distances with probability as close to one as we want. With RLC, we find that the 
threshold below which a secure key can be obtained is Paiiowed < 7.56%. 

In order to correct t errors with certainty, a code must have a minimal Ham- 
ming distance between the code words > 2t + 1 so that all original code words, 
even when distorted by t errors, can still be identified correctly. For any ct which 
passes the test, we are promised (due to Lemma 5.4) that the probabiUty of having 
t = |c/| > n(paiiowed + erei) crrors is smaller than h = e~ 2"«rd. 

Thus, we need to choose a RLC that promises a Hamming distance at least d 
such that Paiiowed + ^rei < t/n = and then the t errors are corrected except 

1 2 

for a probability smaller than h = 2 "^rd However, RLC can never promise a 
specific minimal distance with certainty, but can only promise it with probability 
exponentially close to one: For any n,r = n—k, and for S such that H2{S) < r/n, 
an arbitrary random linear code {n, k, d) satisfies d/n> 6, except for a probability 
(see [19], Theorem 2.2) 

P[d/n <6]< £(52"(^=W-'-/") ^ g, (E.l) 

where c((5) = t=2S\IS- 

If we choose 6 = 2(paiiowed+erei) + ^/n then we are promised that the errors are 
corrected, except for some probability (bounded by h) that the error rate is larger 
than expected, and some probability (bounded by gi) that a bad random code was 
chosen. 

Using such a code, Crei is now a function of 6 so that Crei = 6/2 — l/(2n) — 
PaUowed and therefore, 

and almost all such codes correct all the errors. One could conclude that the code 
is reliable except for a probability gi + h, but this is not the case here; although 
the code is randomly produced, it can still be checked in advance, and used only if 
it satisfies the condition on d. Thus the term gi does not need to be added'^ to the 
rehability bound, and the bound is then given by h alone. 

Recall that we choose e^cc such that \v\ > 2n(paiio„ed + fscc)- Let |?;| be the 
minimal distance between one PA string and any other parity check string (or linear 
combination) taken from ECC and PA. Clearly, the Hamming weight of the dual 
code of the ECC, once the R\ is also added, provides a lower bound on \v\. Thus, 
it is sufficient to demand d-^ > 2n(paiiowed + fscc) in order to prove security. 
Choosing a RLC for the ECC and PA, one cannot be completely sure that the 
distance indeed satisfies the constraint, but this shall be true [19] with probability 
exponentially close to one (and can be checked in advance). We use the dual code 



We can still add the term gi and this saves us the need to find the minimal distance of 
the code. 
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(n, r-"-, d""-), where r-"- = n — r — m. Such codes satisfy d-^/n> 6-^, except for a 
fraction of 

Pld^/n < d^] < £(^2"(^=(^^)-("-''-™)/") = 52 (E.3) 
Vn 

with 5-^ = 2 (fallowed + Csec). 

Assuming that Eve gets full information (namely, m bits) when the code fails 
we get due to the above and Proposition 5.1 

(I'^,,) <m(2e-i"^-+g2) (E.4) 

but we can get rid of g2 by checking the code in advance^^. If we demand that 

H2{S)-r/n < 
H2{6-^)+r/n + m/n-l <0, 

then both gi and 52 are exponentially small. Written another way: 

-ff2(2paUowed + '^^rel + 1/n) < r/n 

-ff2(2paiiowed + 2esec) +r/n < 1- R 

secret 

where .Rsecret = m/n. 

In order to find the threshold on PaUowed we combine these two equations to- 
gether 

-f^2 (2paUowed + 2esec) + ■ff2(2pallowed + 2erel + 1/n) < 1 - i?secret • (E.5) 

In the limit of large n and the two e's close to zero, we get that Paiiowed < 5.50% 
satisfies the bound and hence this is our threshold. [We can then chose the appro- 
priate r/n so that both gi and 52 functions are exponentially small.] 

Asymptotically, a final key with a bit-rate -Rsecret < 1 — -ff 2 (2pa) — H2 (2pa) is 
secure and reliable for the given ECCh-PA chosen at random. Note, as pa goes to 
zero, -Rsecret go^s to 1, which means all the information bits are secret (asymptoti- 
cally). 

The above result can be improved (as noticed first by Mayers [27]) by taking 
RLC with distance d = instead of d = 2t-|- 1. Namely, d—1 > n(Paiiowed+erei) 
(without the factor of 2). Due to Shannon's bound [25] such a code can also correct 
t = n (fallowed + Crei) errors with probability of failure smaller than 6 (for any S). 
This is true provided that r/n > -ff 2 (fallowed + Crei). and that a sufficiently large n 
is chosen, but we did not find an explicit connection between n and 6, as we did 
with the other probabilities gi, 52, and h. 

The above is true except for an exponentially small probability g[ that the code 
got the wrong distance [19], and an exponentially small probability h' that the code 
is fine yet there are more errors in the information bits than expected. 

Or we can add that term to Eve's information and this saves us the need to find the 
minimal distance of the dual code. 
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Choosing now 6 = Paiiowod + Croi + 1 /n, the term g[ is still the same as before, 
but with a different S then before. The condition for g[ to be exponentially small 
becomes now 

-ff2(PaUowed + Erel + 1/n) < r/n . 

The term h' (telling us the probability of having more errors on the information 
bits than expected from the test results) is 

One could conclude that the code is reliable except for a probability g[ + h' + 5, 
but (again) the term g[ can be removed if we check the code in advance to make 
sure it has the right distance. The bound is thus given by h' + S. However, we do 
not have an exponentially small expression for S (as a function of n) and it is only 
known that we can render the error as small as we want by taking a sufficiently 
large n. 

For the security proof we choose Escc such that > 2n(]3anowed + Csec), and 
we demand d-^ > 2n(paiiowed + Escc)- Choosing a RLC for the ECC and PA, one 
cannot be completely sure that the distance indeed satisfies the constraint, but this 
shall be true with probability exponentially close to one (and can be checked in 
advance). As before, we use the dual code (n, r-^ , d^), where r"*" = n — r — m. 
Such codes satisfy d,-^ /n > 5-^, except for a fraction of 

P[d^/n < S^] < £(^2"(«^(^^)-("-''-™)/") = g'^ (E.6) 

with 6^ = 2 (fallowed + f-scc}- As bcforc, we can get rid of g'2 by checking the code 
in advance. 

In order for g'2 to be exponentially small we demand 

H2{d-^) + r/n + m/n - 1< , 

so finally: 

^^^2 (fallowed + Crel + 1/n) < r/n 
-ff2(2}JaUowed + 2esec) + -^2 (fallowed + Crel + 1/n) < 1 — i?secret 

where i?secret = m/n. 

In the limit of large n and e's close to zero, fallowed < 7.56% satisfies the bound 
and hence this is our imporved threshold. With this threshold we have an explicit 
bound on Eve's information, but only an asymptotic bound for the probability of 
failing in terms of reUabiUty. 



